The security problem discovered in the library that manages content in WebP format does not only affect web browsers. The effects can be disruptive for any software that relies on it bookshelf.
The security vulnerabilities main (CVE-2023-4863) specifically affects the library
libwebp: an attacker exploits it, it can causecode execution arbitrary remotely. A second security hole (CVE-2023-5217) has to do with a bug in the VP8 encoding in the open source library
libvpxcommonly used to implement support for various codec video in applications, including VP8 and VP9.
In either case, a remote attacker can cause an error heap buffer overflow which occurs when an application writes data beyond the amount of dynamically allocated memory within the heap (region of memory used by programs during execution to allocate long-term data).
In this specific case, the problem occurs when processing data in WebP format and VP8 video. If an attacker successfully exploits this vulnerability, he can overwrite critical parts of the memory con malicious datacausing crashes and triggering arbitrary code execution on the victim’s system.
Where vulnerable libraries are used
libwebp it is used in a large number of projects to encode and decode images in the WebP format, including modern web browsers such as Chrome, Edge, Firefox, Opera, Safari, and more, such as web browsers on Android. But there are also popular apps that adopt the same library: 1Password e Signal, to name a couple. Installing the latest updates of the various applications is therefore essential to avoid taking unnecessary risks.
The other component mentioned at the beginning,
libvpxis used for example for encoding and decoding video VP8 e VP9 by the most well-known multimedia players and online streaming platforms such as Netflix, YouTube and Amazon Prime Video.
Microsoft extends the list of vulnerable programs and invites you to update
Microsoft also points out that it has in-depth investigations into its products, confirming that the vulnerabilities do not only affect Edge but also products such as Teams e Skype for desktop systems in addition to WebP extensions (available through the Microsoft Store or directly in Windows). The three applications, if without the latest corrective patches, are vulnerable to the CVE-2023-4863 flaw. Edge, at the moment, remains the only product from the Redmond company that requires corrective updates for both the CVE-2023-4863 and CVE-2023-5217 flaw.
Both vulnerabilities in question are listed as already exploited by cyber criminals to conduct dangerous targeted attacks. Sending victims malicious WebP or VP8 content, capable of causing the automatic execution of code on the system, represents a great opportunity to launch particularly effective cyber attacks.
For this reason, all parties involved are trying to maintain confidentiality technical details of the two vulnerabilities. At least until the vast majority of users have installed the corrective updates intended for the various applications.
How to protect your system from vulnerabilities in WebP and VP8 libraries
To protect yourself from anything risk of attackthe suggestion is to immediately proceed with updating Edge, Teams, Skype and WebP extensions for Windows.
In the case of Edge, to install the latest version, just type
edge://settings/help in the address bar then restart your browser when prompted.
Both Skype and Teams, however, must be updated by clicking on the icon Microsoft Store, often displayed in the taskbar or accessed from the operating system’s Start menu. In the case of Skype, don’t trust the message You are using the updated version of Skype which appears by clicking on the three dots in the application interface, on Settingsare Guidance and feedback.
Instead, go to the Microsoft Store window and click on the icon Collection bottom left then up Get updates. Finally, look for references to Skype and Teams by clicking on the corresponding buttons Update. To make it easier, you can click Update everything.
Still on the Microsoft Store screen, it is important to update the WebP image extensions. Typing
Get-AppxPackage -Name Microsoft.WebpImageExtension in a PowerShell window you will see 1.0.62681.0 (or a later release) as the version number: this means that you are protected from the vulnerability inherent in the WebP library.
Opening image credit: iStock.com/Olemedia