Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,486
- Points
- 113
Critical vulnerabilities in companies systems have put other developers' products at risk.
According to a new report from the information security company Rezillion, recent reports from Apple and Google provided incomplete information about critical vulnerabilities that are actively exploited in their products. Such an understatement has created a huge blind spot, because of which a large number of software products from other developers remain without corrections.
2 weeks ago, Apple warned that attackers are actively using a vulnerability in iOS to install Pegasus spyware. Attacks were carried out without user interaction (Zero-Click): it was enough to receive a call or message on the iPhone to get the device infected.
Apple pointed out that the vulnerability, tracked as CVE-2023-41064 (CVSS: 7.8) and already patched at the moment , comes from a buffer overflow bug in ImageIO, a framework that allows applications to read and write most image formats, including WebP. The discovery of this vulnerability was attributed to Citizen Lab.
A few days later, Google also reported a critical vulnerability in the Chrome browser related to buffer overflow in WebP. The vulnerability, identified as CVE-2023-4863 (CVSS: 8.8), was disclosed by Apple's security team and Citizen Lab.
It was quickly speculated that both vulnerabilities may have a common source. Researchers from security firm Rezillion have confirmed that both vulnerabilities do indeed originate from the same bug in the libwebp code library, which is used for WebP image processing.
Researchers criticized Apple, Google and Citizen Lab for not coordinating their actions and not pointing out a common source of vulnerability, preferring to use different CVE designations. This means that "millions of different applications" will remain vulnerable until the libwebp patch is applied. Google has also been criticized for limiting the vulnerability description to just the Chrome browser, without mentioning the libwebp library, which is also supposed to be vulnerable.
The list of software products that integrate libwebp and have not yet received fixes includes popular programs such as Microsoft Teams and Visual Studio Code, as well as many other applications based on the Electron framework .
However, many software products have already been updated to address this vulnerability. Among them:
Other SOFTWARE:
Rezillion also pointed out that Apple's ImageIO uses libwebp and links to certain files that caused the CVE-2023-4863 vulnerability. If a CVE covers the same underlying vulnerability, the teams involved in detecting it should have coordinated with each other and clearly indicated the origin of the error. Without comments from Citizen Lab and Apple, it's difficult to pinpoint the relationship between the vulnerabilities disclosed by Google and Apple.
The researchers stressed that incomplete disclosures pose serious challenges for developers trying to determine if their products are vulnerable. Experts also warned about the risk of getting false results when searching for vulnerabilities.
Now that the public is aware of the real threat, developers and users should carefully check the software. If it interacts with WebP images, you need to update it to the fixed version.
According to a new report from the information security company Rezillion, recent reports from Apple and Google provided incomplete information about critical vulnerabilities that are actively exploited in their products. Such an understatement has created a huge blind spot, because of which a large number of software products from other developers remain without corrections.
2 weeks ago, Apple warned that attackers are actively using a vulnerability in iOS to install Pegasus spyware. Attacks were carried out without user interaction (Zero-Click): it was enough to receive a call or message on the iPhone to get the device infected.
Apple pointed out that the vulnerability, tracked as CVE-2023-41064 (CVSS: 7.8) and already patched at the moment , comes from a buffer overflow bug in ImageIO, a framework that allows applications to read and write most image formats, including WebP. The discovery of this vulnerability was attributed to Citizen Lab.
A few days later, Google also reported a critical vulnerability in the Chrome browser related to buffer overflow in WebP. The vulnerability, identified as CVE-2023-4863 (CVSS: 8.8), was disclosed by Apple's security team and Citizen Lab.
It was quickly speculated that both vulnerabilities may have a common source. Researchers from security firm Rezillion have confirmed that both vulnerabilities do indeed originate from the same bug in the libwebp code library, which is used for WebP image processing.
Researchers criticized Apple, Google and Citizen Lab for not coordinating their actions and not pointing out a common source of vulnerability, preferring to use different CVE designations. This means that "millions of different applications" will remain vulnerable until the libwebp patch is applied. Google has also been criticized for limiting the vulnerability description to just the Chrome browser, without mentioning the libwebp library, which is also supposed to be vulnerable.
The list of software products that integrate libwebp and have not yet received fixes includes popular programs such as Microsoft Teams and Visual Studio Code, as well as many other applications based on the Electron framework .
However, many software products have already been updated to address this vulnerability. Among them:
- Google Chrome (Mac and Linux versions 116.0.5845.187 and Windows versions 116.0.5845.187/.188).
- Mozilla (Firefox version 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1), Thunderbird (versions 102.15.1 and 115.2.2).
- Brave Browser (version 1.57.64);
- Microsoft Edge (versions 109.0.1518.140, 116.0.1938.81, and 117.0.2045.31).
- Tor Browser (version 12.5.4).
- Opera (version 102.0.4880.46);
- Vivaldi (version 6.2.3105.47).
- Debian, Ubuntu, Alpine, Gentoo, RedHat, SUSE, Oracle and Amazon Linux.
Other SOFTWARE:
- Zulip Server – version 7.4;
- Electron – versions 22.3.24, 24.8.3, 25.8.1, 26.2.1 and 27.0.0-beta.2;
- Xplan – version 23.9.289;
- Signal-Desktop – version 6.30.2;
- Honeyview – version 5.51.
Rezillion also pointed out that Apple's ImageIO uses libwebp and links to certain files that caused the CVE-2023-4863 vulnerability. If a CVE covers the same underlying vulnerability, the teams involved in detecting it should have coordinated with each other and clearly indicated the origin of the error. Without comments from Citizen Lab and Apple, it's difficult to pinpoint the relationship between the vulnerabilities disclosed by Google and Apple.
The researchers stressed that incomplete disclosures pose serious challenges for developers trying to determine if their products are vulnerable. Experts also warned about the risk of getting false results when searching for vulnerabilities.
Now that the public is aware of the real threat, developers and users should carefully check the software. If it interacts with WebP images, you need to update it to the fixed version.
