Without attracting too much attention Google resubmitted the documentation with respect to one zero-day vulnerability revealed in recent days.
If this exploit was presented as limited to the browser Chrome, in fact, actually affects thousands of individual apps and frameworks. In spite of a first patch proposed to users, therefore, Google had to backtrack and better clarify the extent of this security flaw.
The vulnerability originates in the libwebp codes, which Google created in 2010 for rendering images in webp. We are talking about an innovative format at the time, capable of producing files up to 26% smaller than the classic ones PNG images.
Libwebp is built into virtually every app, operating system, or other code library that renders images of this type, especially the framework Electron used in Chrome and many other apps that work on both desktop and mobile devices.
The zero-day vulnerability does not only affect Chrome: alarm for thousands of apps and frameworks
Google’s formal description, identified with the code CVE-2023-4863identified the affected vendor as Google and the affected software as Chrome, although, in reality, any code using libwebp was vulnerable.
Critics have forcefully pointed out that Google’s failure to notice that thousands of other pieces of code are also vulnerable would result in unnecessary delays in fixing the vulnerability. This could give cybercriminals a considerable operational advantage, given that they were able to operate for two weeks without any particular enforcement action.
In any case, Google has presented new documentation, with new information outlined, i.e CVE-2023-5129with a considerably increased level of severity.
Whether tracked as CVE-2023-4863 or CVE-2023-5129, the vulnerability in libwebp still remains serious. Before using the apps, users should ensure that the versions of Electron they are using are v22.3.24, v24.8.3 o v25.8.1. In this sense, it is a good idea to update all software installed on your computer to the most recent version available.
