Chrome, Firefox and more caught with their WebP down, offer hasty patch-up

Updated Google and Mozilla have rushed out a fix for a vulnerability within their browsers – Chrome and Firefox, respectively – noting an exploit already exists in the wild.

The web search giant on Tuesday hurriedly issued an update for its software in response to research by Citizen Lab at the University of Toronto's Munk School. Google also credited the Apple Security Engineering and Architecture (SEAR) team for discovering and reporting the security hole.

Likewise for Moz, which also on Tuesday issued an advisory and updates for its browser and email client.

The critical vulnerability, CVE-2023-4863, is a heap buffer overflow in libwebp, a Google-developed open source library that processes WebP images. Basically, any application – such as Chrome, Edge, or Firefox – that utilizes this library to display WebP images can be potentially hijacked by a carefully crafted picture.

We're told an exploit for this flaw already exists out in the wild, and is being used against some targets. Mozilla, for what it's worth, indicated those targets do not include Firefox, for now.

WebP, according to Google, "is a modern image format that provides superior lossless and lossy compression for images on the web." Sadly, it also appears to be a boon for malware distributors.

Google has updated the Stable and Extended channels for Chrome to 116.0.5845.187 for Mac and 116.0.5845.187/.188 for Windows. The Extended Stable channel will roll out over the coming days or weeks. Moz, meanwhile, patched the hole in Firefox 117.0.1, Thunderbird 115.2.2, and other editions of its gear.

As well as being used in other Chromium browsers, such as Edge and Opera, libwebp is included in several different tools and image editors. We expect to see patches for those browsers and programs, too.

Other than acknowledging that an exploit for the libwebp vulnerability already exists in the wild, Google was tight-lipped regarding the specifics, saying only: "Access to bug details and links may be kept restricted until a majority of users are updated with a fix."

It added: "We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on but haven't yet fixed."

• Apple races to patch the latest zero-day iPhone exploit
• High severity vuln in WinRAR could allow code to run when files are opened
• Microsoft: Patch this severe Outlook bug that Russian miscreants exploited
• Rackspace blames ransomware woes on zero-day attack

Tarquin Wilton-Jones, of Chromium-based browser maker Vivaldi, told The Register: “Vivaldi tracks Chromium updates very closely, and for security fixes, either the update or a patch is taken in, and released as soon as possible, sometimes within a couple of days, sometimes even the same day.”

He added: “A fix has been included for this particular issue in the most recent Vivaldi update.”

An exploit of a buffer overflow tends to result in a crash or the execution of arbitrary code. Last week, Apple dealt with two issues: CVE-2023-41061 and CVE-2023-41064. The latter, reported by Citizen Lab, was also a buffer overflow issue in an image-processing component. Citizen Lab referred to an exploit for CVE-2023-41064 as BLASTPASS, which required no interaction from a victim for NSO's Pegasus spyware to be downloaded and run upon receipt of a malicious image.

While Google has been light on specifics, the credit given to the reporters of CVE-2023-4863, as well as the timing and type, indicates there could be a connection between this and the issues Apple patched last week.

Either way, with an exploit already out in the wild, validating and applying patches when they become available would appear to be the prudent approach. ®

Updated to add

This story was revised to include details of Mozilla's patches for Firefox. Given the widespread use of libwebp in applications, look out for patches for your software of choice to close this hole: Microsoft Edge, Vivaldi, Brave's browser, and Electron-based apps should have updates coming soon if not already.