The security landscape has been disrupted by an unexpected revelation – a security vulnerability originally misclassified as a Chrome bug has unveiled itself to be considerably more severe than previously believed. This grave situation casts a long shadow over a myriad of applications, with a concerning number of them yet to receive the requisite security updates.
Google has recently assigned an already-identified security vulnerability a fresh CVE ID, categorizing it with the highest degree of severity. The rationale behind this adjustment stems from the realization that this vulnerability, initially deemed a Chrome-specific issue, extends its influence far beyond, as it is, in fact, a vulnerability related to the WebP image format.
The WebP image file format has gained substantial popularity on the web due to its ability to strike a favorable equilibrium between storage efficiency and image quality. However, this vulnerability provides malevolent actors with the means to exploit meticulously crafted WebP images, subsequently initiating a heap buffer overflow and enabling the execution of malicious code. To achieve this, the compromised image needs to be opened within an application, and in web browsers, a mere visit to a website is sufficient to facilitate the background execution of code, potentially leading to the installation of malicious software.
Countless well-known applications have been impacted
A significant development surrounding this vulnerability pertains to its initial misclassification. Initially detected by Apple’s Security Engineering and Architecture (SEAR) and the Citizen Lab at the University of Toronto’s Munk School, it was erroneously attributed solely as a Chrome bug. As a result, immediate security updates were implemented to shield common web browsers from this threat. However, further investigation has unveiled the vulnerability’s association with the open-source Libwebp library, which is extensively employed by a myriad of programs. Consequently, applications such as Gimp, Libreoffice, Telegram, 1Password, and numerous others, could potentially become targets of malicious attacks. In light of this expansive impact, the Common Vulnerability Scoring System (CVSS) has elevated its rating to the maximum level of 10.0.
What you can do to keep yourself safe
Mate, when it comes to safeguarding yourself from this dodgy vulnerability, there’s really just one path to go down: ensure you’ve got the latest patches in place. Plenty of the apps in the firing line have already rolled out security updates to plug the gap, browsers and Libreoffice included.
But apart from that, the same old rulebook for staying safe on the web applies here too. Don’t be nabbing files from dodgy sources, and keep an eagle eye on those email links – they should only take you to trusted spots on the web. Stay sharp, and you’ll steer clear of any trouble.