Facepalm: A traditional image file should just contain graphics and metadata useful to show a picture – or a series of pictures – on the screen. But things have become much more complex than that, and a “simple” WebP image can now become a malicious vector to be exploited in cyber-crime operations.
Google has recently released a new Stable Channel Update for its Chrome web browser on all supported PC operating systems, which is designed to fix an actively exploited security vulnerability. Details about the flaw are unknown at this point, but the issue is affecting browsers and internet clients developed by other companies as well.
Tracked as CVE-2023-4863, the bug is described as heap buffer overflow in Chrome’s WebP support prior to version 116.0.5845.187. A remote attacker could exploit the flaw to perform a memory write outside the allocated buffer via a crafted HTML page, which could lead to arbitrary (and likely malicious) code execution.
Google acknowledges the analysis work done by researchers at Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Toronto, who recently discovered another zero-day flaw abused by NGO Group to install the Pegasus spyware on iPhone and iPad devices. CVE-2023-4863 is a critical vulnerability, Google explains, with an exploit already circulating “in the wild.”
Mountain View recently introduced Stable Channel Updates as a way to quickly provide critical security updates to Chrome users every week. CVE-2023-4863 is a blatant demonstration of the fact that the company did the right thing. The 0-day flaw is also affecting web browsers and other internet tools developed by Mozilla.
The open source foundation worked in sync with Google, and Microsoft’s Patch Tuesday cycle, to provide freshly-cooked updates for the Firefox web browser (117.0.1, ESR 115.2.1, ESR 102.15.1) and Thunderbird mail client (102.15.1, 115.2.2). Mozilla’s advisory also acknowledges Apple and The Citizen Lab for reporting the vulnerability, which was found in Google’s official WebP codec library (libwebp).
Opening a “malicious” WebP image could lead to a heap buffer overflow in the content process, Mozilla explains, with potential crashes or arbitrary code execution. Both Mozilla and Google decided to keep specific details about the bug undisclosed, for now, as specially crafted attacks are still ongoing and users will need time to download and install the updates.