Originally reported by Apple and Citizen Lab which was tracked as CVE-2023-4863 specific to Google Chrome. Earlier the vulnerability was reclassified as CVE-2023-5129 and correctly attributed as a flaw in libwebp with a maximum 10/10 severity rating by Google, but now the entry for CVE-2023-5129 has been taken down (rejected) and details on CVE-2023-4863 have been corrected to indicate that it's in libwebp and not just "Google Chrome".
The vulnerability exists in the lossless compression component of the open-source libwebp library that provides encoding and decoding of images in WebP format. Specifically, it is a heap buffer overflow issue within the Huffman coding algorithm used for lossless compression in WebP.
By crafting malicious WebP images and getting victims to open them, attackers could leverage this bug to execute arbitrary code and access sensitive user data.
Ben Hawkes (former Project Zero manager) also wrote about this 0day, and he had this to say about it:
"The bad news is that Android is still likely affected. Similar to Apple's ImageIO, Android has a facility called the BitmapFactory that handles image decoding, and of course libwebp is supported. As of today, Android hasn't released a security bulletin that includes a fix for CVE-2023-4863 -- although the fix has been merged into AOSP. To put this in context: if this bug does affect Android, then it could potentially be turned into a remote exploit for apps like Signal and WhatsApp. I'd expect it to be fixed in the October bulletin."
Ben also shared a Proof of Concept and other interesting notes; make sure to check it out.
Who is and isn't affected by WebP 0day?
Initially, the bug was portrayed solely as a vulnerability in Google Chrome and assigned CVE-2023-4863 with a high severity rating.
Also Read: Actively Exploited Libvpx Flaw Affects Both Firefox and Chrome Browsers
However, in truth, the security hole impacts any software that utilizes the WebP codec through the libwebp library, not just Chrome. Beyond Chromium-based browsers, this expansive list includes other major browsers like Mozilla Firefox, Apple Safari, and Microsoft Edge which all incorporate libwebp.
This vulnerability doesn't just affect web browsers, it affects any software that uses the libwebp library.
There are lots of applications that use libwebp to render WebP images, and you can check the list below
Numerous additional applications and software projects employ WebP image handling via libwebp across Linux, Android, Windows, macOS, and other platforms. Since the codec is built into Android, all native browser apps on Android devices are affected. The pervasive nature of the vulnerable library means the exposure is massive.
By incorrectly categorizing it as only a Chrome bug in the beginning, the far-reaching implications of the flaw were not fully recognized. However, its recent reclassification under CVE-2023-5129 accurately identifies it as a core vulnerability in libwebp itself. This makes it unambiguously clear that any platform or app using the libwebp library needs to push out patches to protect users.
Story of the CVEs (Update - 30th Sep. 2023)
We have seen many talks on this issue and must thank the community for taking the identifier in the right direction.
Will Dormann, a vulnerability analyst has raised a concern about the CVE issued to the bug that was reported to Apple and Google. Reporting the same bug (same root cause) to two or different vendors and issuing CVEs by the vendor for the same bug may not be a good choice.
If they are, then:
— Will Dormann (@wdormann) September 20, 2023
Apple got a libwebp vulnerability, and decided to assign a CVE to their product rather than libwebp.
Google got a libwebp vulnerability, and also decided to assign a different CVE to their product rather than libwebp.
Surely this isn't how CVE is to be used??
This vulnerability initially led to confusion in the CVE number assignment, resulting in three different CVE numbers for the same issue.
The CVEs that cause confusion are -
| Published Date | CVE ID | Description |
|---|---|---|
| 7/9/23 | CVE-2023-41064 | ImageIO Buffer Overflow Vulnerability in Apple Products, AKA BLASTPASS |
| 13/9/23 | CVE-2023-4863 | Heap buffer overflow in WebP (Google Chrome) |
| 27/9/23 | CVE-2023-5129 | Issue for libwebp library by Google (now rejected) |
As the vulnerability was in the libwebp package of WebP codec, and we have already mentioned above that this vulnerability doesn't just affect web browsers, it affects all application that uses the libwebp package. This package stands out for its efficiency, outperforming JPEG and PNG in terms of size and speed. Due to its features, the adoption of this library is much wider.
In practice, while exploitation isn't trivial, it's theoretically possible in any image processing context including server-side, making the scope of the vulnerability much wider than initially assumed as libwebp is a dependency for many commonly used applications.
The two different blog posts one from Ben Hawkes and another from Rezilion shed light on the confusion.
Finally, the entry for CVE-2023-5129 has been taken down (rejected) and details on CVE-2023-4863 have been corrected to indicate that it's in libwebp and not just "Google Chrome".
Successful exploitation requires moderately complex user interaction but allows remote code execution nonetheless. With patches already available, organizations and developers dependent on WebP should urgently prioritize updating vulnerable versions before threat actors have a chance to exploit it in the wild.
According to a list compiled on Wikipedia, the following application uses WebP codec:
We have tried to compile a list of the products, Apps, or code that may use or support the Webp codec library.
| Category | Products |
|---|---|
| Web Browsers |
Beaker (web browser), GNOME Web, Google Chrome, Midori, Mozilla Firefox, OhHai Browser, Pale Moon, Safari, SEOBrowse |
| Social Media |
Discord, Facebook, Instagram, Linked, ModernDeck for Twitter, Pinterest, Reddit, SpinShare Client, Telegram, Twitter, WhatsApp, Yammer |
| Operating Systems | Android, Windows |
| Video Platforms | Lbry, Twitch, Vimeo, YouTube, YTMDesktop App |
| Graphics Software |
Aseprite, GIMP, Graphic Converter, ImageMagick, Paint.NET, Photoshop, Photoshop and Picasa, Pixelmator, XnView |
| Cloud Storage | Amazon Photos, Dropbox, Google Drive, Google Photos |
| Ecommerce | Amazon, eBay, Etsy, Shopify, WooCommerce |
| CMS | Drupal, Joomla, MediaWiki, WordPress |
| Email Services | Gmail |
| Forum Software | PHPBB, vBulletin, XenForo |
| Photo Editing |
GDAL, GIMP, Graphic Converter, ImageMagick, Paint.NET, Photoshop, Photoshop and Picasa, Pixelmator, XnView |
| Game Engines | Godot Engine, Unreal Engine, Unity |
| Desktop Software |
1Password, Basecamp 3, Bitwarden, Blender, Cryptocat (discontinued), Discord, Discord RPC Maker, Electron App Store (Unofficial), Etcher, FastPictureViewer, Fifo FileCtor, Gitify, GitHub Desktop, GitKraken, Gnome Web, healthi, Inboxer, Joplin, Keybase, LibreOffice, Light Table, Logitech Options +, LosslessCut, Mattermost, Microsoft Office 2010, Microsoft Teams, Motrix, Museeks, Music Player, Obsidian, QQ (for macOS), Rambox, Signal, Skype, Slack, Spotify, Symphony Chat, Tabby, Termius, TIDAL, VLC Media Player, Visual Studio Code, WebTorrent, Windows Photo Viewer, Wire, Youtube Music for Desktop. |
| Mobile Apps | Lyft, Telegram Messenger, Uber |
| Web Servers | Apache, IIS, nginx |
| Developer Tools |
Advanced REST Client, Aeon, Antares, Appium Desktop, Barklarm, Believers Sword, Blockbench, BoxHero, Brim, Buttercup, Camunda Modeler, Cider, Clovery, Codex, Colorpicker, Cozy Desktop, CryptoARM GOST, Dat, DECK, DeckMaster, Deskfiler, Dict, Django, Doki Doki Mod Manager, Dopamine, DropPoint, Dusk Player, EBTCalc, ElectroCRUD, Electron App Store (Unofficial), Erin, ETCD Manager, Etcher, ExifCleaner, Fifo FileCtor, Fishing Funds, FLB Music, Flask, Frame, Gaucho, Gitify, gSubs, healthi, HexoClient, ImageShrinker, Inboxer, Invizi, itch, Jasper, Juggernaut, Kahla, Kap, KeeWeb, Knowte, Kube Dev Dashboard, Kube Forwarder, Laravel, Laravel Kit, Last Hit, LBRY Desktop, Lepton linked, Lisk Hub, lsdeer, Mailspring, Markdownify, massCode, mdp, mediaChips, Metronome Wallet, Mini Diary, MJML App, Monokle, monolith code, MoviePrint, Mullvad, Netron, Network Status Check, nteract, nuclear, OhHai Browser, Oversetter, P3X Redis UI, PanWriter, passky, Patchwork,Pencil, Picturama, PiTV, poi, Pomotroid, PreMiD, PrettyEarth, Primate Puppetry, Qawl, Quark, Quba E-Invoice Viewer, QuickRedis, R6RC, Rainbow Board, Rambox, Rebaslight, Recode Converter, Redis GUI (unofficial),RenderTune, React, Responsivize, Ride Receipts, Scratch For Discord, SeaPig, Serina, Silex website builder, SimpleInstaBot, Singlebox, Snippet Store, Socially, Soundnode, SpaceEye, SpinShare Client, Sqlectron, sqlui-native, Standard Notes, Standup Picker, Streamlabs OBS, Sturdy, Subtitler, Super Productivity, Switch, TagSpaces, Taskana, TextureLab, Thorium Reader, Time Series Admin, To Do, todometer, Transee, Translatium, Tropy, Tusk, Twinkle Tray, U Stair, Unfx Proxy Checker, Upcount, Vue.js, WebKitty, WizardMirror, wnr, yana, Zap |
| Major Companies | Facebook, Google, Slack, Wikimedia, WordPress.com |
| Other Programs/Scripts |
Display-dj, FFmpeg, GDAL, music-player, Musify, Notion, photoline, Picasa, React, Signal, Sumatra PDF, Vue.js |
The above list is prepared based on the data available on the Internet. Data may not be 100% accurate or up to date. We request everyone to help us to improve the accuracy of the data and keep it up to date.
WebP can also be displayed in all major browsers using the WebPJS JavaScript library, although support in Internet Explorer 6 and above is achieved using Flash.
Proper assessment as a libwebp codec vulnerability rather than a Chrome-specific issue is vital for security. The ease of attack means keeping systems current with fixes should be treated as an essential, high-priority task across the enormous user base of the popular WebP library.
Update from Microsoft - 2nd Oct. 2023
Microsoft has also acknowledged the flaws CVE-2023-4863 and released the fixes for the following products -
- Microsoft Edge
- Microsoft Teams for Desktop
- Skype for Desktop
- Webp Image Extensions (Released on Windows and updates through Microsoft Store)
Update from MongoDB Team - 9th Oct. 2023
The latest release of MongoDB is built on a version of Electron and Chromium that has the patch. Additionally, we are generally not affected because Compass never renders user generated content that is required for the exploit.
Also Read: Multiple High Severity Vulnerabilities Fixed in Mozilla Products
Patch WebP 0day Now
A list of the vendors that pushed the WebP 0day patched against the vulnerability are -
- Google Chrome – Mac and Linux 116.0.5845.187 and Windows 116.0.5845.187/.188.
- Mozilla – Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2
- Brave Browser – version 1.57.64 (Chromium: 116.0.5845.188) [Android, iOS, Linux & Mac].
- Microsoft - Microsoft Edge – versions 109.0.1518.140, 116.0.1938.81, and 117.0.2045.31, MS Teams for desktop, Skype for desktop. [Check Here]
- Tor Browser – version 12.5.4.
- Opera – version 102.0.4880.46.
- Vivaldi – version 6.2.3105.47.
- Bitwarden
- LibreOffice
- Suse
- Ubuntu
- LosslessCut
- NixOS - Nix package manager
- Tails Project
- Signal Desktop
- 1Password
- Telegram Desktop
- Paint.NET
We request all readers and the community to help us update the list of the vendor who is vulnerable and has pushed the patch to fix it. Comment down the vulnerable product or name also the source of the patch released (if available).