Serious vulnerability in WebP graphics format threatens browsers and apps
There is currently a serious security vulnerability in the "libwebp" code library. Numerous browsers and popular programmes are affected and vulnerable.
"CVE-2023-4863" is the name of the vulnerability that is currently threatening many systems. It is located in the "libwebp" code library, which is required for rendering WebP images. This is a so-called "heap buffer overflow" vulnerability. This makes it possible for cybercriminals to smuggle malicious code onto your device and execute it remotely while you are surfing the web, for example. This is known as a "buffer overflow attack". This can damage a system or steal private data. In the worst case, they can also take control of your system. As has been reported by various sources, this has already happened.
Simply explained: What is a "buffer overflow" attack?
A "buffer overflow" is to be understood quite literally. This occurs when more data is loaded into a memory than the buffer can provide. Due to the vulnerability, the programme cannot properly check the data that is "squeezed" into the buffer. This data is then transferred to other memory areas. As a result, data in these areas can either be replaced, corrupted or compromised. A patch now ensures that the programmes check the incoming data correctly and that the memory limits are adhered to.
Which programmes are affected
Software that uses the "libwebp" library in question. Basically, these are all programmes that are based either on Chromium or on the Electron framework. This applies to practically all known browsers (including those without Chromium): Chrome, Firefox, Edge, Opera, Vivaldi, Safari and Brave.
Source: Florian Bodoky
On the other hand, other popular software is also affected: Discord, MS Teams or Signal, but also Libreoffice or 1Password and many more. It doesn't matter which operating system you use - "libwebp" is used everywhere.
#
What do I need to do?
Here I can finally give you some good news. There are already patches for Chromium-based browsers. So it's best to check now whether an update is available. If not, this will certainly be the case in the next day or two. Electron has also already reacted and released a fix. You can therefore expect the developers of Electron-based apps to provide you with an update now or in the next few days. You can find out which programmes rely on Electron here.
Cover image:Shutterstock
I've been tinkering with digital networks ever since I found out how to activate both telephone channels on the ISDN card for greater bandwidth. As for the analogue variety, I've been doing that since I learned to talk. Though Winterthur is my adoptive home city, my heart still bleeds red and blue.