Libwebp Vulnerability and CVE-2023-4863 – What should you be worried about?

by | Sep 29, 2023 | Blog, Critical Patches

Patch Tuesday Releases

Tech Blogs

Critical Patches

Community Links

Threat actors are constantly lurking in the shadows, waiting to exploit vulnerabilities in our digital world and make our lives, as sys admins miserable. We thought it might be prudent to give our own spin on the Critical Vulnerability and Exposure (CVE) 0-day exploit that has been discovered in the wild recently. If you read the headlines and the CVE description over at NIST, you might be led to believe that the exploit only affects Google Chrome. But the libwebp library is used across many apps. The attack surface is broad, the criticality is, well, critical. So what’s the actual scoop?

CVE-2023-5129 – A Google Chrome problem?

There has been a lot of noise about CVE-2023-5129 recently, so which of the multiple CVE IDs should we be focusing on here? Is it only Google Chrome affected by the vulnerability? When we take a look at the NIST website for CVE-2023-5129, we can see it has actually been rejected.

CVE-2023-5129 rejected

We don’t really know the intent behind the submission for CVE-2023-5129 but out best guess is that Google were trying to highlight that the open source libwebp library security vulnerability affected more than just Google Chrome – and they are right.

We can see that CVE-2023-4863 has been modified – the hunch is the vulnerability will draw less attention to a single product and more to the fact that the problem is wider spread – and you should patch all your things.

CVE-2023-4863 has been modified

Ground Zero – A Quick peek at Apple Security Engineering

On 7th September 2023, the good folks at Citizen Lab published details about a zero day exploit coined BLASTPASS (seriousness aside, what a cool name for an exploit). Multiple apple OS products were affected. Apple security engineering was quick to released updates to address the arbitrary code execution vulnerability. Specifically, they were addressing CVE-2023-41064 and CVE-2023-41061 which were addressed in:-

  • iOS 16.6.1

  • iPadOS 16.6.1

  • macOS Monterey 12.6.9

  • macOS Ventura 13.5.2

  • iOS 15.7.9

  • iPadOS 15.7.9

  • macOS Big Sur 11.7.10

Note: If you are looking for a neat site to pin, Citizen lab have some great articles you should check out at https://citizenlab.ca/

Heap Buffer Overflow

The libwebp security vulnerability is located within a specific part of the open-source libwebp library, which is responsible for both encoding and decoding images in the WebP format. More precisely, this vulnerability involves a problem known as a heap buffer overflow, occurring within the libwebp library’s implementation of the Huffman coding algorithm.

Huffman coding is a crucial technique employed to achieve lossless compression when working with WebP images. The recently discovered heap buffer overflow vulnerability allows for unauthorized and potentially malicious overflow of data in a specific memory storage area known as the “heap”, which is utilized during the Huffman coding process.

This vulnerability poses a significant security risk as it could be exploited to manipulate and compromise the integrity of images in WebP format, potentially leading to unauthorized access or the execution of malicious code, in maliciously crafted html pages, for commonly used apps like, but not restricted to, Electron, Chromium based browsers (including Microsoft Edge), Mozilla Firefox and more.

CVE-2023-4863

The focus is back on CVE-2023-4863, for now. Over at Mitre, we get an idea of other vendors who have released updates to address the zero day libwebp vulnerability. Some vendors are still listing CVE-2023-5129 as the vulnerability that was fixed, we can overlook the error of their ways, for now at least. Remember, this isn’t just a vulnerability that affects Google Chrome. As an example, Mozilla Firefox has been updated to protect against any potential malicious webp image:-

https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/

What should I patch?

You are asking the question to a bunch of people who are passionate about patching everything. Even the sleeves of Grandpa’s jumper. Nobody likes to hear the term “Arbitrary code execution” or “state sponsored threat actors” when eating dinner. Save yourselves the conversation at the next team meeting and casually lean back in your chair and announce “We got it covered”.

We have seen vendors release patches, they are already in the Patch My PC catalog. A few examples with the vulnerability patched are include:-

Microsoft Teams is an interesting one. The latest version, 1.6.00.24078, still lists that it uses Electron 19.1.8. This version of Electron has been around for a while – has it been patched? No evidence suggests that it has. We need to do some more digging in to this one.

Electron versioning for Microsoft Teams in Windows

Summary

It is so difficult to stay on top of these CVE’s, more so for SME’s how maybe don’t have a dedicated security team to track and remediate devices. The webp image format allows websites to display high-quality images with much smaller file sizes than traditional formats such as JPG. It is used extensively in more apps than you would probably know. You really have to have your eye on the ball in this game.

We are a few cycles of the sun away from having a “1 button to save us all from the zero day” feature in our arsenal. Until then, patch everything, all the time, but don’t let it be costly on your time or your health. We got you covered!

Tech Blog

Crowdstrike Debacle: A Love Letter to System Administrators Feature Image

The CrowdStrike Debacle: A Love Letter to System Administrators

Explore lessons from the 2024 CrowdStrike incident. A tribute to system admins and insights on what went wrong, how it was fixed, and preparing for...
SCCM vs WSUS - Blog Feature Image

SCCM Software Updates vs. WSUS Standalone Updates

Comparison of features between WSUS and Configuration Manager for managing updates and the platforms’ pros and cons

Kanban vs Scrum - Introduction to Kaban Feature Image

Introduction to Kanban: A Functional Overview of a Flexible Application of Agile Methodology

Kanban is an extension of Agile that offers flexibility and focus when approaching project management strategy. While initial implementation may...
PowerShell Uses - Feature Image

PowerShell Uses – Things to Start Doing, Things to Stop Doing

There are some things in PowerShell that you need to start doing but also stop doing. What is PowerShell and some of the best practices?

Intune Win32 Apps Guide to Availability and Deadlines Feature Image

Intune Win32 apps: A Strategic Guide to Availability and Deadlines

Discover the ins and outs of Intune Management Extension in our latest blog post. We’re exploring its behavior with scheduled win32 app...

Windows Defender Exploit Guard breaks Google Chrome

Often, blog titles are sensationalised and designed to draw the readers attention. In September 2023, we did actually observe the behavior described...
Discovery Apps - Intune Software Inventory - Feature Image

Discovered Apps – The Intune Software Inventory

Is there an Intune Software Inventory? How does Intune detect apps installed in my tenant? Find out everything you need to know about Discovered...

Intune Scope Tags and Role-Based Access Control Explained

In today's interconnected era, it has become increasingly common for large organizations to have multiple IT departments and workers spread across...

Intune Discovered Apps – Missing Inventory Data

At the tail end of June 2023 and into the first week of July 2023, many admins started to report that application inventory data was missing in...
Intune Discovery Apps - Detecting your applications and gaining back control Feature Image

Intune Discovered Apps – Detecting your applications and gaining back control

Learn more about the power of Intune Discovered Apps for application inventory management. Detect and manage your software inventory...

The CrowdStrike Debacle: A Love Letter to System Administrators

Explore lessons from the 2024 CrowdStrike incident. A tribute to system admins and insights on what went wrong, how it was fixed, and preparing for...

SCCM Software Updates vs. WSUS Standalone Updates

Comparison of features between WSUS and Configuration Manager for managing updates and the platforms’ pros and cons

Introduction to Kanban: A Functional Overview of a Flexible Application of Agile Methodology

Kanban is an extension of Agile that offers flexibility and focus when approaching project management strategy. While initial implementation may...

PowerShell Uses – Things to Start Doing, Things to Stop Doing

There are some things in PowerShell that you need to start doing but also stop doing. What is PowerShell and some of the best practices?

Intune Win32 apps: A Strategic Guide to Availability and Deadlines

Discover the ins and outs of Intune Management Extension in our latest blog post. We’re exploring its behavior with scheduled win32 app...

Windows Defender Exploit Guard breaks Google Chrome

Often, blog titles are sensationalised and designed to draw the readers attention. In September 2023, we did actually observe the behavior described...

Discovered Apps – The Intune Software Inventory

Is there an Intune Software Inventory? How does Intune detect apps installed in my tenant? Find out everything you need to know about Discovered...

Intune Scope Tags and Role-Based Access Control Explained

In today's interconnected era, it has become increasingly common for large organizations to have multiple IT departments and workers spread across...

Intune Discovered Apps – Missing Inventory Data

At the tail end of June 2023 and into the first week of July 2023, many admins started to report that application inventory data was missing in...

Intune Discovered Apps – Detecting your applications and gaining back control

Learn more about the power of Intune Discovered Apps for application inventory management. Detect and manage your software inventory...