A popular library for rendering images in the WebP format has a critical vulnerability that is under active exploitation.
The vulnerability is with the libwebp library and it suffers from a heap buffer overflow which allows a remote attacker to perform an out of bounds memory write via a crafted HTML page. Successful exploitation could cause a system crash, as well as access to privilege data and arbitrary code execution. It was first disclosed by Google and given a high CVSS rating as it was thought to only affect the chrome browser. However Google raised the rating to the maximum score, making it a critical vulnerability when it was discovered that the vulnerability’s scope was much wider than initially assumed. The flaw affected browsers and applications that use the libwebp library and include popular applications like 1Password, Signal, other browsers like Firefox, Microsoft Edge, Safari and websites running applications such as ngnix, python, wordpress, Joomla and more. The extended scope means that it affects millions of applications. This vulnerability has been patched, so make sure your browsers, systems and web applications are up to date and running the most stable and secure version.
https://therecord.media/libwebp-vulnerability-more-widespread-than-expected
https://thehackernews.com/2023/09/new-libwebp-vulnerability-under-active.html
https://nvd.nist.gov/vuln/detail/CVE-2023-4863
This segment was created for the It’s 5:05 podcast