- cross-posted to:
- security@lemmy.ml
- technology@lemmy.world
- cross-posted to:
- security@lemmy.ml
- technology@lemmy.world
Any Chromium and Firefox browser prior to version 116 will be vulnerable to this, update your browsers.
Any Chromium and Firefox browser prior to version 116 will be vulnerable to this, update your browsers.
What actual like platforms does this affect and to what extent tho? Like Mac (probably not iOS which is WebKit)?
I’ve read elsewhere it’s actually a problem with libwebp not just chrome.
Basically, anything that relies on libwebp (ie can play libwebp) is vulnerable.
https://snyk.io/blog/critical-webp-0-day-cve-2023-4863/
I wonder if it applies to devices using LockDown mode, thats shuts down a lot of nonsense in its own right…
https://www.techtarget.com/searchsecurity/news/366551978/Browser-companies-patch-critical-zero-day-vulnerability
Edit:
Fuck my reading skill (or fuck articles listing multiple high profile CVEs)…
Blastpass is not the same libwebp CVE (blastpass, the iMessage thing, is CVE-2023-41064. libwebp is CVE-2023-4863 - although that is the chrome one, despite this affecting libwebp not chrome).
I think the whole situation is very rapidly being researched and it’s all developing.
So, no idea if lockdown mode would have any effect
Good, I’m so fucking tired of this bullshit.
Nah, this bullshit is progress.
The root of this problem has always existed. Exploits have always been there, mistakes have always been there. These things are fundamentally unavoidable.
Acknowledging then, documenting them is new. Sensible disclosure is new. Companies paying for these bug bounties before they are publicly disclosed (so they can be fixed) is new.
And it’s awesome. It’s security. It’s people working together for the betterment of everyone.
It would be amazing if people didn’t make mistakes. But that isn’t possible.
Openess, honesty and quickly remedying of issues is possible, and it’s laudable.
So yeh, next time you get an annoying update that interrupts you’re workflow. Please understand the work and reason behind the update. You can still be pissed at the interruption, but please appreciate the human reason for it.
Edit: I read “good” as “god”. Idk if that changes anything
Current Description
Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)
By crafter webpage, does it mean it refers to anything like phishing or something a more savvy user wouldn’t likely “fall for” or does that actually not matter (zero-day or whatever)
Looks like it can do RCE without user interaction other than visiting the page-- not good!
Discord, slack, MS Teams, Steam, pretty much anything. But most of them have already fixed it so if you let stuff update itself frequently, there’s little risk.
Apple also released urgent out-of-band security patches for iOS and MacOS around the same time, and disclosed that it had something to o do with imag processing. Unclear whether they use libwebp or some other implementation, but they disclosed that it was being actively exploited on iPhones.