Google Reclassifies libwebp Bug Exploited in Attacks
September 26, 2023
Google has reclassified a previously identified security vulnerability in its Chrome browser, now assigning a new CVE ID (CVE-2023-5129) to the flaw in the open-source libwebp library. This library is used to encode and decode images in WebP format. The vulnerability was initially disclosed as a Chrome weakness, tracked as CVE-2023-4863.
The zero-day vulnerability was reported by Apple Security Engineering and Architecture (SEAR) and the Citizen Lab at The University of Toronto's Munk School on September 6, and Google patched it less than a week later. Citizen Lab has a history of revealing zero-days that have been used in targeted spyware campaigns, often linked to state-sponsored threat actors targeting high-risk individuals such as journalists and opposition politicians.
Google's initial decision to label the vulnerability as a Chrome bug rather than a libwebp flaw caused some confusion in the cybersecurity community. Ben Hawkes, founder of a security consulting firm and former leader of Google's Project Zero team, linked CVE-2023-4863 to another vulnerability (CVE-2023-41064) that was addressed by Apple and exploited as part of a zero-click iMessage exploit chain (known as BLASTPASS) to infect fully patched iPhones with NSO Group's Pegasus commercial spyware.
However, Google has now assigned a new CVE ID, CVE-2023-5129, to the vulnerability in libwebp, rating it as a critical issue with a maximum 10/10 severity rating. This reclassification has implications for other projects that use the libwebp open-source library. The vulnerability, now officially recognized as a libwebp flaw, involves a heap buffer overflow in WebP that impacts Google Chrome versions preceding 116.0.5845.187.
The vulnerability lies within the Huffman coding algorithm used by libwebp for lossless compression, enabling attackers to execute out-of-bounds memory writes using maliciously crafted HTML pages. This type of exploit can lead to serious consequences, including crashes, arbitrary code execution, and unauthorized access to sensitive information.
The reclassification of CVE-2023-5129 as a libwebp vulnerability is significant because it was initially overlooked as a potential security threat for many projects using libwebp. These include 1Password, Signal, Safari, Mozilla Firefox, Microsoft Edge, Opera, and native Android web browsers. The revised critical rating highlights the need to quickly address the security vulnerability (now tracked under multiple CVE IDs with different severity ratings) across these platforms to protect users' data. Google did not provide a comment when contacted.
Related News
- Spyware Attacks Exploit Recently Patched Apple, Chrome Zero-Days
- Qatar's Cybersecurity Agency Raises Alarm on Mozilla's RCE Vulnerabilities
- Mozilla Fixes Critical Zero-Day Vulnerability in Firefox and Thunderbird
- Apple's Zero-Day Fix for Older iPhones: Backporting the BLASTPASS Solution
- Google Addresses Critical Chrome Zero-Day Vulnerability Reported by Apple and Spyware Researchers
Latest News
- Clop Ransomware Attack on BORN Ontario Child Registry Impacts 3.4 Million Individuals
- Critical Vulnerability in TeamCity CI/CD Server Could Lead to Remote Server Takeover
- National Student Clearinghouse Data Breach Affects 900 US Schools
- Spyware Attacks Exploit Recently Patched Apple, Chrome Zero-Days
- Emergency Security Update iOS 17.0.1: A Critical Alert for All iPhone Users
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.