The vulnerability, tracked under CVE-2023-4863, was described as a heap buffer overflow in WebP within Google Chrome.
What is WebP?
WebP is a type of image file that has been around for more than 10 years and is used in many different kinds of software, like web browsers, email programs, chat apps, and even entire computer systems. Because it's so widely used, the flaw in how it reads certain images could impact a lot of different software and potentially affect almost anyone who uses WebP images.
How does the vulnerability work?
The vulnerability is a flaw in the way Libwebp, the software that reads WebP image files, handles certain images. An attacker can create a special, broken WebP image that tricks the software into writing data where it shouldn't. This can mess up other important data in the computer's memory and could even let the attacker run their own harmful code on the victim's machine.
The problem with LibWebP was especially concerning because it was a "zero-click" issue. This means that hackers could exploit the flaw just by getting users to look at a harmful WebP image; the users didn't have to click on anything or do anything else to trigger the attack.
We believe that this issue is extremely risky, much like the Apache Log4j 2 problem that came up in 2021. It's not just Chrome that's at risk. Other web browsers like those from Mozilla, Microsoft, Opera, and Apple could be affected, as well as different Linux programs, web development tools, and even popular platforms like WordPress, 1Password, GitHub, Twitch, and Signal. They all could potentially be vulnerable.
In terms of this vulnerability it's important not only to patch the browsers but the library "libwebp" needs to be up-to-date as well!
Stay ahead of the wave