Hackers are using WebP images to hack into people’s systems. All the major companies have agreed and released security patches for the browsers. NIST acknowledges the threat.
What is WebP? WebP is a contemporary image format offering advanced compression capabilities, both lossless and lossy, for web-based images. Its compatibility extends across all leading web browsers, encompassing Chrome, Firefox, Edge, and Safari.
All the major companies have responded to the situation:
- Google responded swiftly by releasing updates for Google Chrome on various platforms.
- Mozilla also planned to release updates for Firefox.
- Apple indicated that it had pushed an update for this vulnerability.
- Other browsers like Brave and Microsoft Edge were mentioned as having released updates.
- Electron-based applications, including Signal and 1Password for Mac, were considered vulnerable until they updated their libwebp versions.
- Various Linux platforms, such as Ubuntu, Debian, and SUSE, were actively updating their libwebp versions.
It’s not just web browsers. Other programs that use the same technology can also have this problem. Some of these programs are Signal, 1Password, and many more. They are also fixing the issue.
The Apple Security Engineering and Architecture (SEAR) team reported the vulnerability in collaboration with The Citizen Lab at The University of Toronto’s Munk School on September 6, 2023.
Google confirmed the existence of an exploit for CVE-2023-4863 in the wild, underscoring the urgency of addressing the issue.
The affected software versions that contain the necessary fixes are as follows:
Google:
- Chrome version 116.0.5846.187 (for Mac and Linux)
- Chrome version 116.0.5845.187/.188 (for Windows)
Mozilla:
- Firefox 117.0.1
- Firefox ESR 102.15.1
- Firefox ESR 115.2.1
- Thunderbird 102.15.1
- Thunderbird 115.2.2
Microsoft:
- Edge version 116.0.1938.81
Brave:
- Brave Browser version 1.57.64
Users are urged to immediately update their browsers and other affected apps. Suppose users are unable to update their software immediately. In that case, they can mitigate the risk of exploitation by avoiding untrusted websites and not opening attachments from unknown senders.
via StackDiary, TheVerge
