Google WebP Vulnerability Affects Major Browsers and Applications

CVE-2023-4863: Google WebP Vulnerability Affects Major Browsers and Applications

CVE-2023-4863: Google WebP Vulnerability Affects Major Browsers and Applications.

A critical WebP vulnerability, known as CVE-2023-4863, has the potential to allow hackers remote access to your entire system.

This significant flaw has been discovered within the WebP codec, prompting major web browsers to swiftly roll out security updates.

However, the widespread use of the same WebP rendering code means countless applications are also vulnerable until they release security patches. So, what exactly is CVE-2023-4863, and how bad is it?

CVE-2023-4863: Google WebP Vulnerability Affects Major Browsers and Applications

What is the WebP CVE-2023-4863 Vulnerability?

The issue within the WebP codec has been identified as CVE-2023-4863. It originates from a specific function within the WebP rendering code, known as “BuildHuffmanTable,” which makes the codec susceptible to heap buffer overflow.

A heap buffer overflow occurs when a program writes more data into a memory buffer than it is designed to hold, potentially overwriting adjacent memory and corrupting data. What’s worse, hackers can exploit heap buffer overflows to remotely take control of systems and devices.

Hackers can target applications with known buffer overflow vulnerabilities and send malicious data to them. For example, they can upload malicious WebP images that, when viewed by users in a web browser or other applications, deploy code on the users’ devices.

Such vulnerabilities in widely-used code like the WebP Codec pose a severe problem. Besides major browsers, numerous applications utilize the same codec for rendering WebP images. As of now, the CVE-2023-4863 vulnerability is so widespread that it’s hard to quantify its full extent, and the cleanup process will likely be chaotic.

Is My Favorite Browser Safe?

Yes, most mainstream browsers have already released updates to address this issue. So, as long as you update your applications to the latest versions, you can continue to browse the web securely. Google, Mozilla, Microsoft, Brave, and Tor have all issued security patches, and other companies may have done so by the time you read this article.

Updates containing fixes for this specific vulnerability include:

Chrome: Version 116.0.5846.187 (Mac / Linux); Version 116.0.5845.187/.188 (Windows)
Firefox: Firefox 117.0.1; Firefox ESR 115.2.1; Thunderbird 115.2.2
Edge: Edge Version 116.0.1938.81
Brave: Brave Version 1.57.64
Tor: Tor Browser 12.5.4

If you use a different browser, check for the latest updates and look for specific references to the CVE-2023-4863 heap buffer overflow in WebP. For example, Chrome’s update notice contains the following reference: “Critical CVE-2023-4863: Heap Buffer Overflow in WebP.”

If you can’t find a reference to this vulnerability in the latest version of your preferred browser, consider switching to one of the versions listed above until a fix is released for your chosen browser.

Can I Safely Use My Favorite Applications?

This is where it gets tricky. Unfortunately, the CVE-2023-4863 WebP vulnerability affects an unknown number of applications. First and foremost, any software using the libwebp library is susceptible to this vulnerability, meaning every provider needs to release their security patches.

Making things more complex, this vulnerability is embedded in many popular frameworks used to build applications. In these cases, the framework needs to update first, and then the software providers using them must update to the latest versions to protect their users. This makes it difficult for regular users to know which applications are affected and which have addressed the issue.

Affected applications include Microsoft Teams, Slack, Skype, Discord, 1Password, Signal, LibreOffice, and Affinity Suite, among others.

1Password has released an update to address the issue, although their announcement page contains a spelling error in the CVE-2023-4863 vulnerability ID (ending in -36 instead of -63). Apple has also released security patches for macOS, seemingly addressing the same issue, although not explicitly mentioned. Similarly, Slack released a security update on September 12 (version 4.34.119) but did not reference CVE-2023-4863.

Update Everything and Proceed with Caution

As a user, your best course of action regarding the CVE-2023-4863 WebP Codec vulnerability is to update everything. Start with every browser you use and then move on to the most critical applications.

Check for specific references to the CVE-2023-4863 ID in the release notes for each application. If you can’t find a reference to this vulnerability in the latest release notes, consider switching to secure alternatives until your preferred application addresses the issue. If that’s not an option, check for security updates released after September 12 and continue updating promptly when new security patches become available.

While this doesn’t guarantee a resolution for CVE-2023-4863, it’s currently the best backup plan you have.

WebP: A Remarkable Solution with a Cautionary Tale

Google introduced WebP in 2010 as a solution for faster image rendering in browsers and other applications.

This format offers both lossy and lossless compression, reducing the size of image files by approximately 30% while maintaining perceptible quality.

In terms of performance, WebP is a solid solution for reducing rendering times.

However, it also serves as a cautionary tale about prioritizing security when widely adopted technologies meet immature development.

With the increase in zero-day vulnerability exploitation, companies like Google need to up their game, or developers will need to scrutinize technologies more closely.