Security update around WebP vulnerability

On Wednesday September 27, 2023, news of active exploitation of a zero-day vulnerability ( CVE-2023-4863 )(updated with CVE-2023-5129) in a common component of the webp image format, was announced.

This vulnerability is known to potentially affect a wide range of browsers and popular applications.
This includes (but is not limited to)
Google Chrome
Microsoft Edge
Microsoft Teams
Along with a wide range of others.

We have reviewed the available information and believe that by virtue of our general approach of minimising Internet exposed services and rapid response to installation of security patches via our patch management system, impact to our clients with an IT Support Contract is minimal. If you are not currently on our patch management platform, then now may be a good time to discuss implementing this.

This is a rapidly evolving situation, and we wish to reassure clients that we continue to take the threat very seriously and will be implementing mitigations or fixes as they become available to us.

This rest of this post provides additional details of our response to the Webp / Libwebp vulnerability as well as an FAQ for customers to assess their own potential exposure.

Like many organisations we are taking this seriously and continuing to review our internal systems and are also auditing for the vulnerability in technology used by our clients, we will be providing further updates on anything arising.

WHAT IS THE WEBP VULNERABILITY?

This vulnerability in Webp is potentially the most impactful critical vulnerability that we have seen this year.

The way this attacks works is criminals will attempt to exploit a Buffer Overflow Vulnerability in the Libwebp component of Webp image format. A remote attacker may be able to exploit this to install remote access trojans within impacted computer systems.

EG just by viewing an infected image or photo, an attacker might be able to gain complete remote access to your computer.

This vulnerability does not require any end user interaction – it can gain this level of control without needs for clicks on the image, or requesting username / password, or responding to an on-screen prompt – This is one of the reasons that this exploit is so concerning – the other is the wide and varied array of software that utilises WebP and is therefore affected by this.

This situation is evolving, and we fully expect news of additional affected technologies to become known over the coming days and weeks ahead.

We remain actively:

• Rechecking our initial assessments.
• Monitoring for additional information emerging about the applications impacted.
• Reassessing exposure as necessary.

The days and weeks ahead might be challenging as exploits mature and evolve, more becomes known about common technologies that have this vulnerability embedded within them, and more third-party disclosures come out regarding technology susceptibility.

FAQ  

Q: Is there anything we need to do?

A: Some third-party systems used by your company may be affected, please monitor your email for Vendor advice and send anything to us as soon as you have it. Let us know as well if you note any software that seems to be out of date.

Q: Are we still vulnerable?

A: We have implemented several mitigations to limit the potential attack surface area via update rollout from our patch management system and will continue to implement workarounds and patches as they become available.

If you require further information, wish to discuss this further, or add your devices to our patch management system, then please contact us.

SOME HELPFUL RESOURCES

• Google quietly corrects previously submitted disclosure for critical webp 0-day | Ars Technica
• CCCS AV21-626 Apache Security Advisory
• NVD – CVE-2023-4863 (nist.gov)
• NVD – CVE-2023-5129 (nist.gov)
• NVD – CVE-2023-41064 (nist.gov)
• Critical WebP bug: many apps, not just browsers, under threat (stackdiary.com)
• Google assigns new maximum rated CVE to libwebp bug exploited in attacks (bleepingcomputer.com)

SUMMARY

This is one of many security issues that are released almost daily.  It’s important that every organisation stays vigilant.  It’s important that you assess your organisation’s risks and mitigate against those risks as well as your budgets will allow.  We produce many blogposts around the topic of IT Security and hopefully, some of those might help you to better understand the needs.  If you are not one of our IT Support customers and want to discuss how a support contract might help you to stay ahead of these problems, feel free to book a consultation using the button below.