Newsletter
A newly discovered, actively exploited critical security flaw has put millions of internet users in danger. The vulnerability, tracked as CVE-2023-4863, affects some of the best web browsers, including Google Chrome, Mozilla Firefox, and Microsoft Edge, as well as other apps like Telegram, Signal, and 1Password. It allows attackers to remotely take control of a system, and launch a more devastating attack.
This security flaw is caused by a heap buffer overflow vulnerability. It’s a type of security issue where a program/app doesn’t manage memory well and allows overwriting of important system data. If an attacker knows that a program has this vulnerability, they can exploit it to replace system data with specially crafted malicious data that allows them to gain unauthorized access to the system and steal critical information or cause other forms of damage.
In this case, the vulnerability exists in the WebP codec (libwebp). WebP is a Google-developed modern image format with efficient compression capabilities. It’s one of the most widely used image formats on the internet. “If this codec has a heap buffer overflow, an attacker might be able to craft a malicious WebP image that, when viewed, exploits this vulnerability to harm your computer or steal information,” Alex Ivanovs of Stack Diary explains.
Attackers are actively exploiting this critical security flaw
Ivanovs has provided a detailed technical explanation of the issue here. He noted that it’s a massive security threat because it involves the WebP image format. To make matters worse, the vulnerability was falsely marked as “Chrome-only” by some organizations. This led to misinformation and more grave security risks. In reality, the issue exists on every software program or app that uses libwebp to render WebP images.
Along with the aforementioned apps, this vulnerability also affects Affinity, Gimp, Inkscape, LibreOffice, Thunderbird, ffmpeg, Honeyview, and “many, many Android applications as well as cross-platform apps built with Flutter,” Ivanovs states. He added that the Apple Security Engineering and Architecture (SEAR) team discovered and reported the vulnerability in collaboration with The Citizen Lab at The University of Toronto’s Munk School on September 6, 2023.
Google has already confirmed the existence of an exploit for the vulnerability in the wild. This emphasizes the urgency of the situation. If you’re using any of the apps mentioned in this article, you should update them to the latest version immediately. It’s always advisable to keep apps updated. This reduces the risk of security exploitations and keeps your device more secure.