Critical vulnerability in libwebp

29 Sep 2023 Author: Maria Ohnivchuk

The libwebp vulnerability poses a threat to the security of browsers, messengers, and hundreds of other popular applications

Last week, a dangerous zero-day vulnerability surfaced, which was rated with a maximum score of 10.0 according to the CVSS system, and it was assigned the identifiers CVE-2023-4863 and CVE-2023-5129.

The vulnerability has been discovered in a library used for working with WebP image format, and it is actively exploited by malicious actors. This poses a significant threat to numerous operating systems, web browsers, applications, and components, including iOS, Skype, Microsoft Teams, Slack, Signal, Chrome, Chromium, Firefox, Thunderbird, Libreoffice, Photoshop, GitHub Desktop, Visual Studio Code, and many others.s.

Initially, Google classified this issue as a Chrome vulnerability (CVE-2023-4863) and did not associate it with libwebp. This decision led to confusion in the cybersecurity community, as many wondered why Google did not acknowledge it as a libwebp flaw. Therefore, the vulnerability was reclassified as CVE-2023-5129.

The significance of reclassifying as a libwebp vulnerability lies in the fact that it went unnoticed as a potential security threat for various projects using libwebp, including the most popular platforms.

Which applications are affected by the vulnerability?

warning sign

The vulnerability affects many popular applications that use the WebP format. Hackers actively exploit it for zero-day attacks. The vulnerability has been fixed in version 1.3.2 of libwebp, but many applications are still vulnerable. Here is a list of some applications affected by the vulnerability:

  • 1Password
  • balenaEtcher
  • Basecamp 3
  • Beaker (web browser)
  • Bitwarden
  • CrashPlan
  • Cryptocat (discontinued)
  • Discord
  • Eclipse Theia
  • FreeTube
  • GitHub Desktop
  • GitKraken
  • Joplin
  • Keybase
  • Lbry
  • Light Table
  • Logitech Options +
  • LosslessCut
  • Mattermost
  • Microsoft Teams
  • MongoDB Compass
  • Mullvad
  • Notion
  • Obsidian
  • QQ (for macOS)
  • Quasar Framework
  • Shift
  • Signal
  • Skype
  • Slack
  • Symphony Chat
  • Tabby
  • Termius
  • TIDAL
  • Twitch
  • Visual Studio Code
  • WebTorrent
  • Wire
  • Yammer

Which applications have fixes available for the vulnerability?

digital background

In some applications, the vulnerability has been fixed, and updates are available for download. Here are some of the applications that have released fixes for the vulnerability:

  • Google Chrome
  • Mozilla Firefox
  • Microsoft Edge
  • Opera

Users of vulnerable applications are recommended to update them to the latest version as soon as possible to reduce the risk of exploitation, data breaches, and other security incidents.

Developers of applications using libwebp are advised to thoroughly assess the risk of its exploitation, update the library, consider replacing or temporarily deactivating it, or explore other workaround solutions to mitigate the risk.

How to ensure security and avoid such vulnerabilities?

security key

Given the serious threats posed by vulnerabilities like the libwebp issue, it is important to proactively work to secure your applications and systems. At H-X Technologies, we specialize in providing a high degree of security in the online environment. Our cybersecurity experts are highly skilled and conduct systematic penetration testing (pentesting) and source code security analysis to identify and then remediate vulnerabilities like the libwebp vulnerability.

We understand how critical securing your business is, and we are ready to offer you personalized solutions. Don’t let vulnerabilities undermine your company’s security. Contact us, and you will receive not only one-time professional penetration testing and source code security analysis but also ongoing support and valuable recommendations from our experts.

_____________________
Subscribe to our Telegram channel so you do not miss our news.

Other news

21/12/2024
Year-end summary 2024
14/11/2024
Customer confidence reaffirmed