Google corrects previous disclosure for libwebp vulnerability

Flaw was previously reported as a Chrome bug

Google corrects previous disclosure for libwebp vulnerability

Google has allocated a fresh CVE ID to a security vulnerability in libwebp, which had been exploited as a zero-day in recent attacks.

The bug was patched approximately two weeks ago and was reported in a collaborative effort by Apple Security Engineering and Architecture (SEAR) and the Citizen Lab at The University of Toronto's Munk School, on 6th September.

Google released a fix in less than a week.

Initially, Google reported the flaw as a Chrome bug and assigned it the CVE identifier CVE-2023-4863.

The vulnerability was described as a heap buffer overflow flaw that originated in the libwebp code library, a library developed by Google in 2010 for rendering images in the WebP format.

CVE-2023-4863 enabled an attacker to exploit a specially crafted WebP image, triggering a heap buffer overflow and enabling malicious code execution. This could occur when the image was opened in an application.

In the case of web browsers, a mere visit to a website could trigger this exploit, leading to the execution of background code that might install malware, among other malicious actions.

Google's decision to categorise the vulnerability as a Chrome bug instead of explicitly identifying it as a flaw in libwebp led to confusion within the cybersecurity community. It gave the impression that the threat exclusively impacted the Chrome browser.

Critics warned that Google's classification might lead to avoidable delays in addressing the security issue.

On Monday, Google issued a fresh disclosure tracked as CVE-2023-5129. The new entry accurately identifies libwebp as the affected software and raises the severity rating of the vulnerability from 8.8 to the maximum score of 10.

Google's latest submission also includes a significantly more detailed description of the vulnerability, providing a clearer understanding of its nature and potential impact, and removing the allusion to Chrome.

Cybersecurity experts have warned that several applications, including Gimp, Libreoffice, Telegram and 1Password could potentially be targeted in an attack, due to the widespread use of the open libwebp library.

This type of exploit could have serious consequences, from system crashes to the execution of arbitrary code and unauthorised access to sensitive data.

Make sure you have installed all the latest patches for any such service, if you are a user.