Last week, Citizen Lab disclosed a vulnerability that they are calling BLASTPASS which they found after investigating an iOS device used by an individual working at a civil society organization based in Washington, DC. The vulnerability was exploited to deliver the NSO Group’s Pegasus commercial spyware. The 0-click vulnerability can affect iPhones running the latest iOS version (16.6) and Apple has issued 2 CVEs related to this exploit chain (CVE-2023-41064 & CVE-2023-41061).
Richard Speed for The Register:
The critical vulnerability, CVE-2023-4863, is a heap buffer overflow in libwebp, a Google-developed open source library that processes WebP images. Basically, any application – such as Chrome, Edge, or Firefox – that utilizes this library to display WebP images can be potentially hijacked by a carefully crafted picture. We’re told an exploit for this flaw already exists out in the wild, and is being used against some targets. Mozilla, for what it’s worth, indicated those targets do not include Firefox, for now.
WebP, according to Google, “is a modern image format that provides superior lossless and lossy compression for images on the web.” Sadly, it also appears to be a boon for malware distributors.
Google has updated the Stable and Extended channels for Chrome to 116.0.5845.187 for Mac and 116.0.5845.187/.188 for Windows. The Extended Stable channel will roll out over the coming days or weeks. Moz, meanwhile, patched the hole in Firefox 117.0.1, Thunderbird 115.2.2, and other editions of its gear.
WebP is an image format developed by Google that provides both lossless and lossy compression for web images. Its design aims to offer smaller file sizes at equivalent or higher quality compared to traditional formats like JPEG and PNG. As WebP is used by many application and applications, the number of applications, browsers and operating systems that will need to be patched is rather significant.
