Any Chromium and Firefox browser prior to version 116 will be vulnerable to this, update your browsers.
Well, i think firefox 117 fixed that webp issue so i am on that one.
UPDATE YOUR BROWSERS IMMEDIATELY. RCE VULNERABILITY DISCOVERED
Submitted 1 year ago by VitabytesDev@feddit.nl to technology@lemmy.world
https://nvd.nist.gov/vuln/detail/CVE-2023-4863
Comments
shortwavesurfer@monero.town 1 year ago
joyjoy@lemm.ee 1 year ago
Specifically 117.0.1 (117.1 on android)
ForestOrca@kbin.social 1 year ago
Good to go. Always roll with the latest version.
bappity@lemmy.world 1 year ago
AGAIN?
seaQueue@lemmy.world 1 year ago
It’s last week’s big libwebp vulnerability again.
bappity@lemmy.world 1 year ago
oh >_>
GamingChairModel@lemmy.world 1 year ago
Sorta. OP just linked the full disclosure of the libwebp vulnerability that made the news 2 weeks ago.
But there’s an even more recent vulnerability in libvpx that was announced this week, that is similar in a lot of ways (including severity).
dublet@lemmy.world 1 year ago
treadful@lemmy.zip 1 year ago
There’s a more recent CVE as well for FF that was patched in 118.0.1: CVE-2023-5217: Heap buffer overflow in libvpx
cheese_greater@lemmy.world 1 year ago
What actual like platforms does this affect and to what extent tho? Like Mac (probably not iOS which is WebKit)?
towerful@programming.dev 1 year ago
I’ve read elsewhere it’s actually a problem with libwebp not just chrome.
Basically, anything that relies on libwebp (ie can play libwebp) is vulnerable.
snyk.io/blog/critical-webp-0-day-cve-2023-4863/cheese_greater@lemmy.world 1 year ago
I wonder if it applies to devices using LockDown mode, thats shuts down a lot of nonsense in its own right…
Th3D3k0y@lemmy.world 1 year ago
Current Description
Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)
cheese_greater@lemmy.world 1 year ago
By crafter webpage, does it mean it refers to anything like phishing or something a more savvy user wouldn’t likely “fall for” or does that actually not matter (zero-day or whatever)
Phen@lemmy.eco.br 1 year ago
Discord, slack, MS Teams, Steam, pretty much anything. But most of them have already fixed it so if you let stuff update itself frequently, there’s little risk.
GamingChairModel@lemmy.world 1 year ago
Apple also released urgent out-of-band security patches for iOS and MacOS around the same time, and disclosed that it had something to o do with imag processing. Unclear whether they use libwebp or some other implementation, but they disclosed that it was being actively exploited on iPhones.
pastermil@sh.itjust.works 1 year ago
I read this as RICE vulnerability and was confused
cheese_greater@lemmy.world 1 year ago
Imma let you get to that soon but we all know RCE vulnerabillities really won the night here
eumesmo@lemmings.world 1 year ago
What about webview-based browsers in android phones?
Bipta@kbin.social 1 year ago
As far as I'm aware this does affect Android and is not currently fixed. It's expected to be fixed in the October security patch.
This is just my memory of reading weeks ago. Someone else may know better.
9point6@lemmy.world 1 year ago
The Android webview is updated through the play store as of a few years ago
TakingOnWater@lemmy.world 1 year ago
So if the phone gets a security update for this at the OS level, should we theoretically be safe to use apps with any sort of browser functionality? Like some apps that don’t update, or are no longer being maintained, etc
GamingChairModel@lemmy.world 1 year ago
This isn’t just a browser vulnerability. It’s a vulnerability at a much more fundamental level, which is why it’s so critical. It’s a vulnerability in how almost every piece of software processes a widely supported image format, so anything that touches images is potentially at risk: browsers, chat or messaging apps, file browsers, or really anything that uses thumbnails or image previews, including some core OS functionality. On the server side, you’ve got anything that makes thumbnails and previews, too.
We should wait and see whether there are any practical attacks outside the browser context (maybe the malicious code needs to be placed in a web page that displays the malicious image file, or maybe they need to figure out a way to actually put all the malicious code in the image file itself). But the vulnerability itself is in a fundamental library used by a lot more software.
nostradiel@lemmy.world 1 year ago
I found these alerts so hilarious… You have no idea how many vulnerabilities are discovered by grey/blackhat hackers. Even whitehat working for the governments not reporting them to have more variety of back doors.
But ok… Update and “be” protected. 🤣
CriticalMiss@lemmy.world 1 year ago
Yes but this is a vulnerability now open to the public that script kiddies are going to utilize so unless you want your data grabbed by a 14yo larper for opening an image in your browser update your browser
bobman@unilem.org 1 year ago
Why are script kiddies always, kids?
Not a single child I knew growing up knew how to program.
padjakkels@lemmy.world 1 year ago
Click bait much???
CrayonRosary@lemmy.world 1 year ago
How is this clickbait? The all-caps is a bit much, but the title contains everything you need to know. There’s nothing remotely clickbaity about it.
VitabytesDev@feddit.nl 1 year ago
Ah, yes sorry for the all-caps title. I just wanted to seem a bit urgent.
Vub@lemmy.world 1 year ago
Not sure why you only mention Chromium and Firefox in the post text, I can only assume this vulnerability affects ALL browsers. Safari (WebKit based) is, as far as I know, the second most used browser in the world.
dwokimmortalus@lemmy.world 1 year ago
It’s anything implementing .webp support. Though the CVE has been out for nearly two weeks already so most apps have been patched.
marius851000@lemmy.mariusdavid.fr 1 year ago
Actually, it’s specific to libwebp, but many things that decode webp just use this library (for example, decoding webp with the “image” rust crates doesn’t use libwebp. It does use it for encoding thought).
Buelldozer@lemmy.today 1 year ago
This is way way wider than just browsers. Anything that can display webp images is vulnerable and that includes things like MS Teams and Twitch.
Lantern@lemmy.world 1 year ago
Further solidifying webp as the worst image format.
chameleon@kbin.social 1 year ago
The current advisory is in webm (VP8 specifically). The webp one was 2 weeks ago.
...yeah, not a good time for web browsers lately...
Lucidlethargy@sh.itjust.works 1 year ago
WebP is currently the smallest and highest quality format accepted by browsers today. I have no idea why you think so negatuvely of it, but it’s irreplaceable until something better is widely adopted, and thus viable.
It’s the best format for websites as of this exact moment.
synceDD@lemmy.world 1 year ago
? I dont like it because I’m uneducated so it’s bad, average voter
seaQueue@lemmy.world 1 year ago
It’s the full disclosure of the ImageIO webp vuln from last week, this is the root cause.