How to

This Critical WebP Vulnerability Affects Major Browsers and Apps

A critical vulnerability in the WebP Codec has been discovered, forcing major browsers to fast-track security updates. However, widespread use of the same WebP rendering code means countless apps are also affected, until they release security patches.

So what is the CVE-2023-4863 vulnerability? How bad is it? And what can you to?

What Is the WebP CVE-2023-4863 Vulnerability?

The issue in the WebP Codec has been named CVE-2023-4863. The root lies within a specific function of the WebP rendering code (the “BuildHuffmanTable”), making the codec vulnerable to heap buffer overflows.

A heap buffer overload occurs when a program writes more data to a memory buffer than it’s designed to hold. When this happens, it can potentially overwrite adjacent memory and corrupt data. Worse still, hackers can exploit heap buffer overflows to take over systems and devices remotely.

A command line interface displaying a malicious code

Hackers can target apps known to have buffer overflow vulnerabilities and send them malicious data. For example, they could upload a malicious WebP image that deploys code on the user’s device when they view it in their browser or another app.

This kind of vulnerability existing in code as widely used as the WebP Codec is a serious issue. Aside from major browsers, countless apps use the same codec to render WebP images. At this stage, the CVE-2023-4863 vulnerability is too widespread for us to know how big it really is and the cleanup is going to be messy.

Is It Safe to Use My Favorite Browser?

Yes, most major browsers have already released updates to address this issue. So, as long as you update your apps to the latest version, you can browse the web as usual. Google, Mozilla, Microsoft, Brave, and Tor have all released security patches and others have probably done so by the time you’re reading this.

The updates containing fixes for this specific vulnerability are:

  • Chrome: Version 116.0.5846.187 (Mac / Linux); version 116.0.5845.187/.188 (Windows)
  • Firefox: Firefox 117.0.1; Firefox ESR 115.2.1; Thunderbird 115.2.2
  • Edge: Edge version 116.0.1938.81
  • Brave: Brave version 1.57.64
  • Tor: Tor Browser 12.5.4

If you’re using a different browser, check for the latest updates and look for specific references to the CVE-2023-4863 heap buffer overflow vulnerability in WebP. For example, Chrome’s update announcement includes the following reference: “Critical CVE-2023-4863: Heap buffer overflow in WebP”.

Chrome update notes referencing a security patch for the WebP CVE-2023-4863 vulnerability

If you can’t find a reference to this vulnerability in the latest version of your favorite browser, switch to one listed above until a fix is released for your browser of choice.

Am I Safe to Use My Favorite Apps?

This is where it gets tricky. Unfortunately, the CVE-2023-4863 WebP vulnerability also affects an unknown number of apps. Firstly, any software using the libwebp library is affected by this vulnerability, which means each provider will need to release their own security patches.

To make matters more complicated, this vulnerability is baked into many popular frameworks used to build apps. In these instances, the frameworks need updating first and, then, software providers using them need to update to the latest version to protect their users. This makes it very difficult for the average user to know which apps are affected and which ones have addressed the issue.

Affected apps include Microsoft Teams, Slack, Skype, Discord, Telegram, 1Password, Signal, LibreOffice, and the Affinity suite—among so many more.

1Password has released an update to address the issue, although its announcement page includes a typo for the CVE-2023-4863 vulnerability ID (ending it with -36, instead of -63). Apple has also released a security patch for macOS that appears to resolve the same problem, but it doesn’t reference it specifically. Likewise, Slack released a security update on September 12 (version 4.34.119) but doesn’t reference CVE-2023-4863.

Update Everything and Proceed Carefully

As a user, the only thing you can do about the CVE-2023-4863 WebP Codex vulnerability is update everything. Start with every browser you use, and then work your way through your most important apps.

Check the latest release versions for every app you can and look for specific references to the CVE-2023-4863 ID. If you can’t find references to this vulnerability in the latest release notes, consider switching to a secure alternative until your preferred app addresses the issue. If this isn’t an option, check for security updates released after September 12 and keep updating as soon as new security patches are released.

This won’t guarantee the CVE-2023-4863 is being addressed but it’s the best fall-back option you’ve got at this point.

WebP: A Fine Solution With a Cautionary Tale

Google launched WebP in 2010 as a solution to rendering images faster in browsers and other applications. The format provides lossy and lossless compression that can reduce the size of image files by ~30 percent while maintaining perceptible quality.

Performance-wise, WebP is a fine solution for reducing rendering times. However, it’s also a cautionary tale of prioritizing a specific aspect of performance over others—namely, security. When half-baked development meets widespread adoption, it creates a perfect storm for source vulnerabilities. And, with zero-day exploits on the rise, companies like Google need to up their game or developers will have to scrutinize technologies more.

Leave a Reply

Your email address will not be published. Required fields are marked *