Two weeks after designating Chrome vulnerability CVE-2023-4863, Google has assigned a new critical CVE, CVE-2023-5129, to reflect the flaw’s impact on the entire open-source libwebp library rather than just Google’s Chrome browser.
The libwebp library is used by a wide range of programs, including 1Password, Signal, Safari, Mozilla Firefox, Microsoft Edge, Opera, and native Android web browsers, to encode and decode images in WebP format.
The bug resides within the coding algorithm used by libwebp and could enable threat actors to execute out-of-bounds memory writes using specifically crafted HTML pages. Successful exploitation can cause denial of service (due to crashes), arbitrary code execution, and unauthorized access to sensitive information.
The confusion surrounding the designation of these CVEs could have severe cybersecurity implications in the near and medium term. The period between the initial discovery of a flaw in what was thought to have been the Chrome browser and the realization that the flaw was in the libwebp library itself provides threat actors with ample time to exploit this vulnerability.
It’s likely that threat actors could be abusing this vulnerability in other programs that use libwebp library and will do so until patches are developed and deployed.
Field Effect’s elite team of Security Intelligence professionals constantly monitors the cyber threat landscape for vulnerabilities discovered in software. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users are notified when vulnerable software is detected in their environment and are encouraged to review these AROs as quickly as possible.
Field Effect strongly encourages users to update their browsers, email clients, and other programs that use libwebp to render WebP images to the latest versions as soon as possible. Additionally, developers whose software uses WebP formatting should update from the latest libwebp library.