Earlier this week, Google issued a new CVE for vulnerability in their open-sourced libwebp code library, CVE-2023-5129. The vulnerability has been assigned a CVSS score of 10.0 — the maximum score on the CVSS scale. The vulnerability potentially allows an attacker to execute arbitrary code when a malicious webp image is processed by a vulnerable application.
Apple has identified at least one campaign actively exploiting this vulnerability in their products and issued appropriate patches. Security researchers have also produced proof-of-concept code to exploit this vulnerability. More malicious campaigns are likely in the near future.
Similar to the log4j vulnerability of 2021/2022, this vulnerability exists in a code library used by many software products. This means that many software products will need to receive patches in order to fully prevent exploitation.
Initially Google had identified this as vulnerability in their Chrome web browser and issued CVE-2023-4863. They later discovered they had misidentified the source of the vulnerability and issued a new CVE for the open-source library instead (which is also maintained by Google). Separately, Apple created CVE-2023-41064 for this vulnerability as it pertains to their software products. Apple released patches earlier this month.
What You Should Do?
Users and organizations are encouraged to apply patches for software affected by this vulnerability as patches become available. A list of links to known patched software is available below, but this list should not be considered exhaustive. Also, other software products are likely to be releasing patches in the near future.
Developers maintaining software that leverages the libwebp library are advised to update their code to incorporate libwebp version 1.3.2 or newer.
• Google Chrome
• Mozilla Software
• Brave Browswer
• Microsoft Edge
• Tor Browser
• Opera Browser
• Vivaldi Browser
• Bitwarden Client
• Apple Software