Google recently released an emergency security fix for a critical zero-day vulnerability initially identified as CVE-2023-4863. This vulnerability has a CVSS score of 8.8 and was targeting Google Chrome across Windows, macOS, and Linux systems.
There was also a high priority vulnerability, CVE–2023-41064, recently discovered by the Apple Security Engineering & Architecture team and Citizen Lab. CVE-2023-41064 was a key component of the “BLASTPASS” exploit chain, a zero-click iMessage exploit targeting iPhones with the Pegasus spyware.
The key discovery is that both CVE-2023-4863 and CVE-2023-41064 likely stem from the same underlying problem. While initially reported by Google and Apple as separate vulnerabilities, they share elements resulting from a common library package used for WebP image encoding and decoding.
Google reissued a high-priority CVE-2023-4863, with a maximum CVSS score of 10, signifying a severe and actively exploited vulnerability. While initially considered a Chrome-specific issue, it has since been revealed that this vulnerability extends its reach far beyond browsers, impacting any application or software relying on the libwebp package.
The libwebp image library is a fundamental piece of software integrated into a vast array of operating systems and applications, including popular ones built on the Electron framework, known for its cross-platform compatibility. Rezilion’s analysis has uncovered essential insights into the true scope of this vulnerability. Millions of different applications worldwide are potentially at risk due to their reliance on the libwebp package.
Although it is a very complex attack, essentially, this vulnerability can be triggered by a specially-crafted WebP lossless file. When the file is parsed, the BuildHuffmanTable function will perform an out-of-bounds write in the program’s heap memory, leading to a denial-of-service or remote code execution (RCE). The heart of the issue lies in the flawed implementation of the Huffman coding algorithm.
Given the confirmed exploitation of CVE-2023-4863 in the wild, applying patches is imperative. Traditional scanners may not provide reliable results, so it’s crucial to apply the provided patches promptly. Several software, browsers, and packages have been affected:
- Web Browsers: Google Chrome, Mozilla Firefox, Brave Browser, Microsoft Edge, Tor Browser, Opera, Vivaldi
- Operating Systems: Debian, Ubuntu, Alpine, Gentoo, RedHat, SUSE, Oracle, and others have released security fixes
- Other Software: Electron, Xplan, Signal-Desktop, Honeyview, Zulip Server, Microsoft Teams, Slack, Skype, Gimp, Inkscape, LibreOffice, ffmpeg
In a digital world fraught with evolving threats, our ability to adapt and secure our systems hinges on staying informed and taking proactive measures. The intricate web of vulnerabilities, exemplified by CVE-2023-4863 and its counterparts, reminds us of the importance of vigilance and swift action. By maintaining awareness of emerging risks and promptly applying patches, we not only shield our systems from potential harm but also contribute to the broader effort of fortifying the digital landscape for all.
Bytes & Insights: The Key Takeaways
In Summary: Diving into the discovery of critical zero-day vulnerabilities, including CVE-2023-4863, initially identified in Google Chrome and later revealed to impact software relying on the libwebp package for WebP image encoding and decoding. The article highlights the complexities of these vulnerabilities and their far-reaching implications, emphasizing the urgency of patching and proactive cybersecurity measures.
Why It Matters: The interconnected vulnerabilities, such as CVE-2023-4863, demonstrate the potential ripple effect across a wide range of software. MSPs should proactively monitor and address these vulnerabilities, apply patches promptly, and keep clients informed to ensure the resilience of their systems. Being aware of emerging threats and taking swift action helps MSPs maintain trust and security in an increasingly complex digital landscape, ultimately safeguarding their clients’ data and operations.
To stay up to date on all APG intel, follow them on Twitter and Reddit.