NVD - CVE-2023-4863
nvd.nist.gov

Any Chromium and Firefox browser prior to version 116 will be vulnerable to this, update your browsers.

    • seaQueue@lemmy.worldEnglish
      21·
      1 year ago

      It’s last week’s big libwebp vulnerability again.

      Edit: this underlying vuln is why last week’s CVE was such a big deal, anything using webp is at risk including a whole big pile of electron apps that everyone uses.

    • GamingChairModel@lemmy.worldEnglish
      16·
      1 year ago

      Sorta. OP just linked the full disclosure of the libwebp vulnerability that made the news 2 weeks ago.

      But there’s an even more recent vulnerability in libvpx that was announced this week, that is similar in a lot of ways (including severity).

  • cheese_greater@lemmy.worldEnglish
    231·
    1 year ago

    What actual like platforms does this affect and to what extent tho? Like Mac (probably not iOS which is WebKit)?

        • towerful@programming.devEnglish
          8·
          1 year ago

          https://www.techtarget.com/searchsecurity/news/366551978/Browser-companies-patch-critical-zero-day-vulnerability

          Citizen Lab said Blastpass was discovered on the device of an employee with “a Washington DC-based civil society organization” and that it could be mitigated by Apple’s Lockdown Mode. An investigation into the exploit chain continues, but researchers said it involved “PassKit attachments containing malicious images sent from an attacker iMessage account to the victim.”

          Edit:

          Fuck my reading skill (or fuck articles listing multiple high profile CVEs)…
          Blastpass is not the same libwebp CVE (blastpass, the iMessage thing, is CVE-2023-41064. libwebp is CVE-2023-4863 - although that is the chrome one, despite this affecting libwebp not chrome).

          I think the whole situation is very rapidly being researched and it’s all developing.
          So, no idea if lockdown mode would have any effect

            • towerful@programming.devEnglish
              10·
              1 year ago

              Nah, this bullshit is progress.
              The root of this problem has always existed. Exploits have always been there, mistakes have always been there. These things are fundamentally unavoidable.
              Acknowledging then, documenting them is new. Sensible disclosure is new. Companies paying for these bug bounties before they are publicly disclosed (so they can be fixed) is new.
              And it’s awesome. It’s security. It’s people working together for the betterment of everyone.

              It would be amazing if people didn’t make mistakes. But that isn’t possible.
              Openess, honesty and quickly remedying of issues is possible, and it’s laudable.

              So yeh, next time you get an annoying update that interrupts you’re workflow. Please understand the work and reason behind the update. You can still be pissed at the interruption, but please appreciate the human reason for it.

              Edit: I read “good” as “god”. Idk if that changes anything

              • cheese_greater@lemmy.worldEnglish
                6·
                1 year ago

                I def agree with the openess tenor of your reply. People and companies (since companies technically “are” people) need to stop valuing pride over security and safety and all the good stuff of life. Like, just fix the damn cancer, stop trying to hide it and cut off the progrssively more necrotic limbs to save face.

                We don’t disagree on anything, I was perhaps inelegant and non-specific in my invective.

                • towerful@programming.devEnglish
                  1·
                  1 year ago

                  since companies technically “are” people

                  This wording is some legal loophole bullshit.
                  I have tried to word something that disagrees with this for 30m. I can’t figure it out.
                  This is bullshit.
                  But this “company is person” tries to re-humanise corporations. I think. Or something.

                  Have some ranting…

                  A company is a group of people working in the interest of themselves.
                  A person is generally working in the interest of themselves.
                  A group of people always has more power than a single person, and thus should be held to a higher standard.

                  It seems like Google is taking this seriously… now (assigning a 10.0. The next highest is an 8.8 for $15k). But it seems like the cve is still assigned to chrome, as opposed to libwebp (where the actual vulnerability is)

                  And while I appreciate the publication - the fact its a 0-day publication (as opposed to “we patched this 6 months ago”) means Google hasn’t taken it seriously previously (or it’s be found exploited in the wild)

    • Phen@lemmy.eco.brEnglish
      15·
      1 year ago

      Discord, slack, MS Teams, Steam, pretty much anything. But most of them have already fixed it so if you let stuff update itself frequently, there’s little risk.

    • Th3D3k0y@lemmy.worldEnglish
      14·
      1 year ago

      Current Description

      Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

      • cheese_greater@lemmy.worldEnglish
        4·
        1 year ago

        By crafter webpage, does it mean it refers to anything like phishing or something a more savvy user wouldn’t likely “fall for” or does that actually not matter (zero-day or whatever)

    • GamingChairModel@lemmy.worldEnglish
      2·
      1 year ago

      Apple also released urgent out-of-band security patches for iOS and MacOS around the same time, and disclosed that it had something to o do with imag processing. Unclear whether they use libwebp or some other implementation, but they disclosed that it was being actively exploited on iPhones.

      • Turun@feddit.deEnglish
        6·
        1 year ago

        No, how could I be mad about the truth? We’d download and run any dotfiles if the screenshot looks nice enough.

    • Bipta@kbin.social
      151·
      1 year ago

      As far as I’m aware this does affect Android and is not currently fixed. It’s expected to be fixed in the October security patch.

      This is just my memory of reading weeks ago. Someone else may know better.

      • 9point6@lemmy.worldEnglish
        91·
        1 year ago

        The Android webview is updated through the play store as of a few years ago

        • Bipta@kbin.social
          3·
          1 year ago

          I believe the libwebp is implemented at the OS level. Again someone else may know better.

      • TakingOnWater@lemmy.worldEnglish
        1·
        1 year ago

        So if the phone gets a security update for this at the OS level, should we theoretically be safe to use apps with any sort of browser functionality? Like some apps that don’t update, or are no longer being maintained, etc

    • GamingChairModel@lemmy.worldEnglish
      4·
      1 year ago

      This isn’t just a browser vulnerability. It’s a vulnerability at a much more fundamental level, which is why it’s so critical. It’s a vulnerability in how almost every piece of software processes a widely supported image format, so anything that touches images is potentially at risk: browsers, chat or messaging apps, file browsers, or really anything that uses thumbnails or image previews, including some core OS functionality. On the server side, you’ve got anything that makes thumbnails and previews, too.

      We should wait and see whether there are any practical attacks outside the browser context (maybe the malicious code needs to be placed in a web page that displays the malicious image file, or maybe they need to figure out a way to actually put all the malicious code in the image file itself). But the vulnerability itself is in a fundamental library used by a lot more software.

  • Vub@lemmy.worldEnglish
    10·
    1 year ago

    Not sure why you only mention Chromium and Firefox in the post text, I can only assume this vulnerability affects ALL browsers. Safari (WebKit based) is, as far as I know, the second most used browser in the world.

    • dwokimmortalus@lemmy.worldEnglish
      4·
      1 year ago

      It’s anything implementing .webp support. Though the CVE has been out for nearly two weeks already so most apps have been patched.

      • Marius@lemmy.mariusdavid.frEnglish
        1·
        1 year ago

        Actually, it’s specific to libwebp, but many things that decode webp just use this library (for example, decoding webp with the “image” rust crates doesn’t use libwebp. It does use it for encoding thought).

  • nostradiel@lemmy.worldEnglish
    1416·
    1 year ago

    I found these alerts so hilarious… You have no idea how many vulnerabilities are discovered by grey/blackhat hackers. Even whitehat working for the governments or contractors not reporting it to have more variety of back doors.

    But ok… Update and “be” protected. 🤣

    • CriticalMiss@lemmy.worldEnglish
      331·
      1 year ago

      Yes but this is a vulnerability now open to the public that script kiddies are going to utilize so unless you want your data grabbed by a 14yo larper for opening an image in your browser update your browser

      • bobman@unilem.orgEnglish
        112·
        1 year ago

        Why are script kiddies always, kids?

        Not a single child I knew growing up knew how to program.

        • StinkyRedMan@lemmy.worldEnglish
          91·
          1 year ago

          That’s the point, script kiddies refers to young peoples with low to no technical knowledge using tools made by other peoples.

          • bobman@unilem.orgEnglish
            110·
            1 year ago

            But that’s why it’s misleading.

            Most of the people writing these scripts to exploit known vulnerabilities are not young. It’s just an insult to people who write scripts.

              • bobman@unilem.orgEnglish
                111·
                1 year ago

                Right. Using/writing, my point still stands that most of them are not kids. It’s just an insult because it doesn’t require much effort, but has nothing to do with youth.

                Nice ellipses, though. Makes me know you’re not really worth listening to.

                • kevinBLT@lemmy.worldEnglish
                  11·
                  1 year ago

                  Your “point” isn’t one, the fact that you don’t seem to comprehend that makes me sure you have brain problems.

    • CrayonRosary@lemmy.worldEnglish
      402·
      1 year ago

      How is this clickbait? The all-caps is a bit much, but the title contains everything you need to know. There’s nothing remotely clickbaity about it.

        • BorgDrone@lemmy.oneEnglish
          51·
          1 year ago

          I just wanted to seem a bit urgent.

          It was kinda urgent two and a half weeks ago when this was first published. Now, not so much,

          • VitabytesDev@feddit.nlOPEnglish
            22·
            1 year ago

            Two and a half weeks ago? I learned about it yesterday. Sorry for bothering you then.