Dan Goodin The researchers said the incomplete disclosures present a “formidable undertaking” for developers trying to determine if their wares are vulnerable. They said the lack of clarity also...
Dan Goodin
The researchers said the incomplete disclosures present a “formidable undertaking” for developers trying to determine if their wares are vulnerable. They said the lack of clarity also puts the developers at risk of receiving false negatives when looking for vulnerabilities.
No one mentioned that libwebp, a library found in millions of apps, was a 0-day origin.
(tap/click to know more...)
The researchers wrote: While the vulnerability initially seems to target Chromium-based applications, now that we know better, we understand that it possesses the potential to affect a much wider range of software and applications relying on the ubiquitous libwebp package for WebP codec functionality. This package stands out for its efficiency, outperforming JPEG and PNG in terms of size and speed. Consequently, a multitude of software, applications, and packages have adopted this library, or even adopted packages that libwebp is their dependency, creating a complex challenge when attempting to identify vulnerable systems. The sheer prevalence of libwebp extends the attack surface significantly, raising serious concerns for both users and organizations.
Organizations with SBOM solutions in their environment are advised to query the SBOM for any package using a vulnerable version of libwebp as a dependency. It is especially important to make sure that the system libwebp library is patched as several applications such as chromium for example, are built against the system libwebp library.
Apple
Apple said the vulnerability, tracked as CVE-2023-41064, stemmed from a buffer overflow bug in ImageIO, a proprietary framework that allows applications to read and write most image file formats, which include one known as WebP. Apple credited the discovery of the zero-day to Citizen Lab, a research group at the University of Toronto’s Munk School that follows attacks by nation-states targeting dissidents and other at-risk groups.
Google
Four days later, Google reported a critical vulnerability in its Chrome browser. The company said the vulnerability was what’s known as a heap buffer overflow that was present in WebP. Google went on to warn that an exploit for the vulnerability existed in the wild. Google said that the vulnerability, designated as CVE-2023-4863, was reported by the Apple Security Engineering and Architecture team and Citizen Lab.
Similarities strongly suggested that the underlying bug
Speculation, including from me, quickly arose that a large number of similarities strongly suggested that the underlying bug for both vulnerabilities was the same. On Thursday, researchers from security firm Rezillion published evidence that they said made it “highly likely” both indeed stemmed from the same bug, specifically in libwebp, the code library that apps, operating systems, and other code libraries incorporate to process WebP images.
Rather than Apple, Google, and Citizen Lab coordinating and accurately reporting the common origin of the vulnerability, they chose to use a separate CVE designation, the researchers said. The researchers concluded that “millions of different applications” would remain vulnerable until they, too, incorporated the libwebp fix. That, in turn, they said, was preventing automated systems developers use to track known vulnerabilities in their offerings from detecting a critical vulnerability that’s under active exploitation.
“Since the vulnerability is scoped under the overarching product containing the vulnerable dependency, the vulnerability will only be flagged by vulnerability scanners for these specific products,” Rezillion researchers Ofri Ouzan and Yotam Perkal wrote. “This creates a HUGE blindspot for organizations blindly relying on the output of their vulnerability scanner.”
The number of apps, frameworks, code libraries, and other packages that incorporate libwebp and have yet to receive a patch is unknown. While Microsoft patched CVE-2023-4863 in its Edge browser, the company confirmed in an email on Thursday that other vulnerable products and code packages had yet to be patched. An update for the affected offerings “are in our release pipeline,” the representative said, without providing an estimated release. Microsoft offerings known to remain vulnerable are Teams, a widely used collaboration platform, and the developer tool Visual Studio Code.
Both products are built on the Electron framework, which was also affected by CVE-2023-4863. There is a large number of other apps that also use Electron.
(tap to expand)
According to a list compiled on Wikipedia, they include:
1Password
balenaEtcher
Basecamp 3
Beaker (web browser)
Bitwarden
CrashPlan
Cryptocat (discontinued)
Discord
Eclipse Theia
FreeTube
GitHub Desktop
GitKraken
Joplin
Keybase
Lbry
Light Table
Logitech Options +
LosslessCut
Mattermost
Microsoft Teams
MongoDB Compass
Mullvad
Notion
Obsidian
QQ (for macOS)
Quasar Framework
Shift
Signal
Skype
Slack
Symphony Chat
Tabby
Termius
TIDAL
Twitch
Visual Studio Code
WebTorrent
Wire
Yammer
Further adding to the list of vulnerable apps
Other widely used frameworks, code libraries, and OSes are also vulnerable to CVE-2023-4863 because they also incorporate Electron, another code library that uses libwebp, or have libwebp built in directly.
Google Chrome – Mac and Linux 116.0.5845.187 and Windows 116.0.5845.187/.188.
Mozilla – Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2
Brave Browser – version 1.57.64 (Chromium: 116.0.5845.188).
Microsoft Edge – versions 109.0.1518.140, 116.0.1938.81 and 117.0.2045.31.
Tor Browser – version 12.5.4.
Opera – version 102.0.4880.46.
Vivaldi – version 6.2.3105.47.
Operating systems
Debian – released a partial security fixes for chromium, firefox, firefox-esr, libwebp and thunderbird, not all distributions have a fix.
Ubuntu – released a partial security fixes for chromium-browser, libwebp, firefox, thunderbird and mozjs, not all distributions have a fix.
Alpine – released security fixes to chromium, libwebp, qt5-qtimageformats and firefox-esr.
Gentoo – released security fix to media-libs/libwebp version 1.3.1_p20230908.
RedHat – released security fixes (RHSA) for Mozilla Thunderbird, Mozilla Firefox and libwebp.
SUSE – released security fixes (SUSE-SU and openSUSE-SU) for Mozilla Firefox, Mozilla Thunderbird, libwebp and chromium packages.
Oracle – released security fixes (ELSA) for Mozilla Firefox and Mozilla Thunderbird.
Amazon Linux – still haven’t pushed fixes to their AMI images
Other software
Zulip Server – version 7.4.
Electron – versions 22.3.24, 24.8.3, 25.8.1, 26.2.1 and 27.0.0-beta.2
Xplan – version 23.9.289.
Signal-Desktop – version 6.30.2.
Honeyview – version 5.51.
Other software known to be patched is
Slack
1Password
Telegram
Beware of false negatives
Rezillon went on to say that a scan of Apple’s ImageIO binaries showed not only that it used libwebp, but also that it referenced vp8l_dec.c, vp8li_dec.h, huffman_utils.c, and huffman_utils.h. Those are the same files present in libwebp that caused CVE-2023-4863.
The number of affected software packages is too large to check all of them. People who want to know about a specific offering not listed should check with the developer.
Dan Goodin
The researchers said the incomplete disclosures present a “formidable undertaking” for developers trying to determine if their wares are vulnerable. They said the lack of clarity also puts the developers at risk of receiving false negatives when looking for vulnerabilities. (tap/click to know more...)
Apple
Google
Similarities strongly suggested that the underlying bug
(tap to expand)
According to a list compiled on Wikipedia, they include:
Further adding to the list of vulnerable apps
Operating systems
Other software
Other software known to be patched is
Beware of false negatives