Google downplays critical WebP vulnerability affecting thousands of apps

Google originally disclosed a critical WebP vulnerability in Chrome, failing to mention thousands of other affected apps/frameworks
The vulnerability stems from the libwebp library used for rendering WebP images
Libwebp is incorporated in countless apps/OSes, notably Electron used in Chrome and other desktop/mobile apps
Google's original CVE left readers mistaken that only Chrome was affected, delaying patching in other software
Google quietly resubmitted the CVE to correctly list libwebp as affected, bumping up severity rating from 8.8 to 10

arstechnica.com

Relevant topic timeline:

8/31/2023

Google Fixes Serious Security Flaws in Chrome and Android

August has seen a flurry of patches released by technology giants like Microsoft, Google Chrome, and Firefox to fix serious vulnerabilities. These patches are crucial as some of the flaws are already being exploited in attacks. While there was no iPhone update from Apple, major fixes were released for enterprise software, including Ivanti, SAP, and Cisco. Microsoft's Patch Tuesday fixed numerous vulnerabilities, including ones being actively targeted. Google Chrome also issued updates, addressing high impact flaws in V8 and WebRTC. Firefox patched various vulnerabilities, some of which could lead to arbitrary code execution. Lastly, Google patched several critical vulnerabilities in its Android operating system, including RCE issues in System and Media Framework.

9/11/2023

Google Rushes Out Chrome Update to Fix Actively Exploited Zero-Day Vulnerability

Google has released emergency security updates for Chrome to address a zero-day vulnerability (CVE-2023-4863) that has been exploited in attacks, urging users to update their browsers to prevent further exploitation.

9/14/2023

Major Browsers Release Critical Security Updates - Update Now to Fix WebP Vulnerability

Many popular web browsers including Google Chrome, Microsoft Edge, Firefox, and Brave have issued security updates to fix a critical vulnerability that could allow malicious code to be run on users' computers.

9/27/2023

Google Patches Critical Chrome Flaw Exploited to Install Spyware, 5th Zero-Day This Year

Google has released emergency security updates to patch a zero-day vulnerability in Chrome that has been exploited in spyware attacks, with the vulnerability caused by a heap buffer overflow weakness in the VP8 encoding of the libvpx video codec library.

9/28/2023

Google patches Chrome zero-day used to deploy commercial spyware

Google has released an emergency patch for a zero-day vulnerability in Chrome that was exploited by a commercial spyware vendor, and the vulnerability has been linked to the zero-click iMessage exploit chain used to deploy the NSO Group's Pegasus spyware on compromised iPhones.

Topics

Posted 9/27/2023, 12:47:53 AM