Man typing on laptop, with the writing "JEI Tech helps customers address critical WebP vulnerability"

JEI Tech Helps Customers Address Critical WebP Vulnerability

JEI Tech now scans and identifies CVE-2023-4863, a critical vulnerability affecting the libwebp library with potentially severe implications for multiple applications, browsers, and operating systems. Disclosed the other week, the vulnerability is considered to be on par with Log4j; in other words, far more serious and widespread than originally thought.

Our team is working diligently to help our customers identify and patch applications associated with this zero-day vulnerability. We are also actively expanding our scanning for more impacted software.

 

 

The Uncovering of CVE-2023-4863 in ‘libwebp’

Initial Disclosure

Two weeks ago, Google issued a security advisory for a critical vulnerability in the libwebp library, which is used to render WebP images. Initially disclosed as affecting only Chrome, the advisory proved to be too limited. As other major browsers began issuing notices, it became clear the impact was far-reaching, including any code that uses the libwebp library which means millions of applications are now at risk. 

Massive Attack Surface

Cybersecurity experts noted that the vulnerable library was found in several popular container images’ latest versions, collectively downloaded and deployed billions of times, such as Nginx, Python, Joomla, WordPress, Node.js, and more.

Heap Overflow

This so-called heap overflow vulnerability, tracked as CVE-2023-4863, essentially allows attackers to execute malicious code when users view a booby-trapped WebP image. To reflect the critical nature of this vulnerability, Google revised the designation to CVE-2023-5129 and assigned it the highest CVSS severity rating of 10 out of 10. (Side note: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority since it’s a duplicate of CVE-2023-4863)

More Discoveries and Warnings

Further complicating the situation, the vulnerability was independently discovered by both the Citizen Lab and Apple’s Security Engineering and Architecture (SEAR) team. The Cybersecurity and Infrastructure Security Agency (CISA) also issued warnings about active exploitation by undisclosed threat actors, showing the immediate risk posed by this vulnerability.

Reporting Missteps

Notably, critics say the miscommunication between Google and Apple during the early stages of addressing the vulnerability gave threat actors more time and created a “huge blindspot” for zero-day hunters. Both companies initially understood the vulnerability to affect different products, despite both using the libwebp library. 

Link to Pegasus Software

Additionally, researchers identified a connection between this vulnerability and another, CVE-2023-41064, which had been previously exploited by threat actors as part of the BLASTPASS exploit chain. This chain was used to deploy the NSO Group’s Pegasus spyware on targeted mobile devices, further elevating the significance and potential consequences of the libwebp library vulnerability.

 

JEI Tech Responds to WebP Vulnerability

In response, we immediately mobilized resources to help our customers promptly identify and patch applications associated with this vulnerability. Our team is vigorously testing and deploying patches for a wide range of applications and platforms.

Patching

Specifically, patches are tested for:

  • Google Chrome – Mac and Linux 116.0.5845.187 and Windows 116.0.5845.187/.188.
  • Mozilla – Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2
  • Brave Browser – version 1.57.64 (Chromium: 116.0.5845.188) [Android, iOS, Linux & Mac].
  • Microsoft Edge – versions 109.0.1518.140, 116.0.1938.81, and 117.0.2045.31.
  • Tor Browser – version 12.5.4.
  • Opera – version 102.0.4880.46.
  • Vivaldi – version 6.2.3105.47.
  • Bitwarden
  • LibreOffice
  • Suse
  • Ubuntu
  • LosslessCut
  • NixOS –  Nix package manager
  • Tails Project

Application Scanning

We are also undertaking comprehensive scanning for potential vulnerabilities across a diverse range of applications, including: CrashPlan, Cryptocat (discontinued), Discord, Eclipse Theia, FreeTube, GitHub Desktop, GitKraken, Joplin, Keybase, Lbry, Light Table, Logitech Options +, LosslessCut, Mattermost. Microsoft Teams. MongoDB Compass, Mullvad, Notion. Obsidian QQ (for macOS), Quasar Framework, Shift, Signal, Skype, Slack. Symphony Chat, Tabby, Termius, TIDAL, Twitch, Visual Studio Code, WebTorrent, Wire, Yammer.

Empowering Our Customers

We are committed to empowering our customers to safeguard themselves and their end users against rising cyber threats. Count on us to deliver the full breadth of proactive cybersecurity, including, for instance:

  • Attack Surface Scanning: We perform external Deep Attack Surface Scans to identify and address vulnerabilities in digital infrastructure and enhance overall security.
  • Active Threat Management: We provide enhanced protection with EPSS (Exploit Prediction Scoring System) against evolving cyber threats through proactive monitoring, detection, and response measures.
  • Patch Management: We diligently test and push out patches for all affected applications, ensuring swift remediation. (A surprising number of high-profile breaches, such as MOVEit and LastPass, are the result of unpatched applications.)
  • Real-Time Updates: We promptly share updates and advisories to keep our customers informed of evolving threats

 

 

Final Word

We are working tirelessly to mitigate the risks associated with this critical vulnerability and urge our customers to remain vigilant, stay informed, and adopt proactive measures to stay ahead of potential threats. Questions? Please contact us for more information.

Take Our Cyber Security Quiz

How does your cyber security posture stack up? Take our short quiz to see!

Contact Info

John Coleman, Director
JEI Tech
(587) 208-6940
john@jei.tech
Brian Suerth
Technology Assurance Group
(858) 946-2112
brian@tagnational.com