DVD Networks now scans and identifies CVE-2023-4863, a critical vulnerability affecting the libwebp library with potentially severe implications for multiple applications, browsers, and operating systems. As disclosed, the vulnerability is considered to be on par with Log4j; in other words, far more serious and widespread than originally thought.
Our team is working diligently to help our customers identify and patch applications associated with this zero-day vulnerability. We are also actively expanding our scanning for more impacted software.
Two weeks ago, Google issued a security advisory for a critical vulnerability in the libwebp library, which is used to render WebP images. Initially disclosed as affecting only Chrome, the advisory proved to be too limited. As other major browsers began issuing notices, it became clear the impact was far-reaching, including any code that uses the libwebp library which means millions of applications are now at risk.
Cybersecurity experts noted that the vulnerable library was found in several popular container images’ latest versions, collectively downloaded and deployed billions of times, such as Nginx, Python, Joomla, WordPress, Node.js, and more.
This so-called heap overflow vulnerability, tracked as CVE-2023-4863, essentially allows attackers to execute malicious code when users view a booby-trapped WebP image. To reflect the critical nature of this vulnerability, Google revised the designation to CVE-2023-5129 and assigned it the highest CVSS severity rating of 10 out of 10. (Side note: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority since it’s a duplicate of CVE-2023-4863)
Further complicating the situation, the vulnerability was independently discovered by both the Citizen Lab and Apple's Security Engineering and Architecture (SEAR) team. The Cybersecurity and Infrastructure Security Agency (CISA) also issued warnings about active exploitation by undisclosed threat actors, showing the immediate risk posed by this vulnerability.
Notably, critics say the miscommunication between Google and Apple during the early stages of addressing the vulnerability gave threat actors more time and created a “huge blindspot” for zero-day hunters. Both companies initially understood the vulnerability to affect different products, despite both using the libwebp library.
Additionally, researchers identified a connection between this vulnerability and another, CVE-2023-41064, which had been previously exploited by threat actors as part of the BLASTPASS exploit chain. This chain was used to deploy the NSO Group’s Pegasus spyware on targeted mobile devices, further elevating the significance and potential consequences of the libwebp library vulnerability.
In response, we immediately mobilized resources to help our customers promptly identify and patch applications associated with this vulnerability. Our team is vigorously testing and deploying patches for a wide range of applications and platforms.
Specifically, patches are tested for:
We are also undertaking comprehensive scanning for potential vulnerabilities across a diverse range of applications, including CrashPlan, Cryptocat (discontinued), Discord, Eclipse Theia, FreeTube, GitHub Desktop, GitKraken, Joplin, Keybase, Lbry, Light Table, Logitech Options +, LosslessCut, Mattermost. Microsoft Teams. MongoDB Compass, Mullvad, Notion. Obsidian QQ (for macOS), Quasar Framework, Shift, Signal, Skype, Slack. Symphony Chat, Tabby, Termius, TIDAL, Twitch, Visual Studio Code, WebTorrent, Wire, Yammer.
We are committed to empowering our customers to safeguard themselves and their end users against rising cyber threats. Count on us to deliver the full breadth of proactive cybersecurity, including, for instance:
We are working tirelessly to mitigate the risks associated with this critical vulnerability and urge our customers to remain vigilant, stay informed, and adopt proactive measures to stay ahead of potential threats. Questions? Please contact us for more information Support@dvdnetworks.com