A critical vulnerability in the WebP Codec, designated as CVE-2023-4863, has recently come to light, necessitating immediate action from major browser vendors such as Google and Mozilla to address the issue. This vulnerability has the potential to impact not only web browsers but also any software utilizing the libwebp library, extending its reach far beyond browsers alone.
Developed by Google, WebP is a modern image format known for its superior lossless and lossy compression. It has gained widespread adoption due to its advantages in size and speed over formats like PNG and JPEG. The discovery and resolution of this vulnerability are of paramount importance, given WebP's prevalence on the web.
Most of the web browser vendors have already issued fixes for this vulnerability, including Google Chrome, Mozilla Firefox, and Microsoft Edge. For users of Chromium-based browsers, updates are either already available or imminent.
Important: It is crucial to emphasize that CVE-2023-4863 is not limited to web browsers; it affects any application that relies on the libwebp library. This includes Electron-based apps like Signal, which has already patched the vulnerability. Additionally, software such as Honeyview from Bandisoft has released updates to mitigate the issue. It's important to note that CVE-2023-4863 was initially misreported as a Chrome-only vulnerability, leading to widespread misconceptions in the media.
Who utilizes libwebp? Many applications utilize libwebp for rendering WebP images, including Affinity, Gimp, Inkscape, LibreOffice, Telegram, Thunderbird (now patched), FFmpeg, and numerous Android apps, as well as cross-platform apps built with Flutter.
This newly discovered vulnerability centers around a heap buffer overflow within the WebP image format. WebP, known for its efficient image compression, is used extensively by browsers like Google Chrome and Mozilla Firefox. Exploiting this flaw could potentially compromise the security of millions of internet users.
This vulnerability stems from the "BuildHuffmanTable" function introduced in 2014, which verifies data accuracy. The vulnerability arises when more memory is allocated than required if the table isn't adequately sized for valid data. The corresponding commit can be found here.
The original code optimized a Huffman decoder that reads several bits ahead to determine bit consumption and symbol decoding. The newer version streamlined this process with an array of lookup tables, but it failed to account for excessively large bit counts from untrusted Huffman trees. This oversight could result in potential overflows.
Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Toronto's Munk School reported the vulnerability responsibly on September 6, 2023.
Furthermore, Google has confirmed the existence of an exploit for CVE-2023-4863 in the wild, underscoring the urgency of the situation.
Users are strongly advised to ensure their browsers are up-to-date to benefit from these vital security patches.
In our blog, we post technology-related articles weekly. Follow us on Facebook and Instagram to get notifications about updates.