So What’s This All About Then?
Apple has notified Google of this CVE regarding a vulnerability in how Chrome browsers handle images inside one of the libraries fundamental to the Chrome browser, libwebp or WebP.
Why Does This Matter to Me?
The buffer overflow escapes the browser’s sandboxing system and could (can) allow attackers to perform remote code execution.
Normally, this wouldn’t be big news in an isolated incident, but this vulnerability affects many systems. How many? Count the number of chromium-based browsers used today, and that’s how many! 2021 estimates put this in excess of 3.7 billion browsers, but the exact number in 2023 is probably significantly higher.
Moreover, it doesn’t just affect Chrome; it also affects Edge and Firefox, as well as many other browsers based on the Chrome code base. In fact, any application developed with the libwebp library could also be vulnerable, think apps with embedded browsers, for example.
As if this wasn’t bad enough, there is an exploit in the wild that is actively exploiting this vulnerability.
So What Next?
Thankfully, the latest version of Chrome and its derivatives have mostly been fixed already. No known PoC code has been published when writing this post, which helps, but the cost of not updating your browser to the latest release could be a hefty price if this situation changes abruptly.
Organisations are encouraged and advised to patch their browsers as quickly as possible and pay particular attention to systems where automatic updates are disabled. Microsoft released updates for Edge in the last Patch Tuesday release, and individual browsers can be patched from within the browser through the embedded update option.
CyberOne has devised some detections for its managed service customers to identify when they are using vulnerable browsers and alert these customers as a matter of urgency.
Anyone who wishes to know if they are using a vulnerable browser can visit this handy link on our website—we promise it’s safe—to validate if they are affected.
If you want to update your browser, please copy this link into your browser’s settings: chrome://settings/help. It will take you straight to the browser’s update capability. You will likely need to reload your browser. Alternatively, you can go to Settings | About Chrome if you prefer to do it manually.
For more information on this vulnerability, please visit: