September 22, 2023
So what’s this all about then?
This CVE has been notified by Apple to Google regarding a vulnerability found in the way in which chrome browsers handle images inside one of the libraries fundamental to the Chrome browser, namely libwebp or WebP.
Why does this matter to me?
The buffer overflow escapes the browsers sandboxing system and could (can) allow attackers to perform remote code execution.
Normally, in an isolated incident this wouldn’t be big news but this vulnerability affects a lot of systems. How many? Count the total number of chromium based browsers in use today in the world and that’s how many! 2021 estimates put this in excess of 3.7 billion browsers but the exact number in 2023 is probably significantly higher.
Moreover it doesn’t just affect Chrome, it affects also Edge & Firefox plus many other browsers based on the Chrome code base. In fact any application developed with the libwebp library could also be vulnerable, think apps with embedded browsers for example.
As if this wasn’t bad enough there is an exploit in the wild which is actively taking advantage of this vulnerability.
So what next?
Thankfully the latest version of Chrome and its derivatives have mostly been fixed already. No known PoC code has been published at the time of writing this post, which helps at this time but the cost of not updating your browser to the latest release could be a hefty price to pay if this situation acutely changes.
Organisations are encouraged and advised to patch their browsers as quickly as possible, pay particular attention to systems where for some reason automatic updates are disabled. Microsoft have released updates for Edge already in the last Patch Tuesday release and individual browsers can be patched from within the browser through the embedded update option.
CyberOne has devised some detections for its managed service customers to identify when they are using vulnerable browsers and alert this to those customers as a matter of urgency.
Anyone who wishes to know if they are using a vulnerable browser can visit this handy link on our website – we promise its safe – to validate if you are affected.
If you want to update your browser please copy this link in to your browser chrome://settings/help – it will take you straight to the browsers update capability. You will likely need to reload your browser. Alternatively you can go to Settings | About Chrome if you would prefer to do it manually yourself.
For moreinformation on this vulnerability, please visit:
Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4863