Highlights:
- The security vulnerability in WebP is identified as CVE-2023-4863.
- The buffer overflow vulnerability in WebP impacts a memory section referred to as the ‘heap’ within programs.
Google LLC, Mozilla Foundation, and other browser manufacturers have issued updates to address a zero-day vulnerability affecting the WebP image format. It is said that hackers are actively using the vulnerability to launch cyberattacks.
To correct Chrome’s built-in WebP implementation, Google recently released a patch. The Mozilla Foundation similarly released a Firefox upgrade. According to news, Microsoft Corporation has also released a WebP patch for Edge.
Two other browser developers, Brave Software Inc. and Vivaldi Technologies AS, released updates this week after realizing their applications were impacted. Furthermore, it’s thought that the WebP vulnerability’s effects might go beyond the ecosystem of browsers. Along with productivity apps like LibreOffice, more than a dozen graphic design tools support the image format.
CVE-2023-4863 is the reference number for the WebP security flaw. The severity level for this software vulnerability is Critical, the highest one that can be assigned. Researchers from Apple Inc. and Citizen Lab found the vulnerability, according to Google, which explained it in a blog post announcing its Chrome patch.
Google introduced the image format WebP in 2010. It draws inspiration from VP8, a technology that compresses video files to lower their storage requirements. WebP is positioned as an alternative to JPEG, PNG, and GIF standards.
The main selling point of WebP is that it uses less storage space than some competent technologies. Websites that use the format load faster because switching an image from JPEG to WebP can reduce its storage footprint by more than 30%. Additionally, the technology supports animations, which typically need to be stored in a different format and static images.
Google avoided getting too technical when discussing the recently discovered WebP vulnerability. The company stated, “Access to bug details and links may be kept restricted until a majority of users are updated with a fix.” However, Google revealed that the flaw involves a heap buffer overflow, a type of memory error.
The operating system on which browsers and other programs run allots memory for use in computations. An application divides the memory it receives into units known as segments when it launches. A small amount of the data for the application is contained in each of these segments.
A buffer overflow occurs when more data is input into a memory segment than it can hold. When this happens, extra data overwrites the data kept in nearby memory segments. Hackers can use that phenomenon to insert malicious code over sensitive parts of a program.
The buffer overflow vulnerability in WebP affects the heap, a program memory section. Data that an application uses for a long time is typically stored there. In the so-called stack, a section of programs’ memory with various technical properties and additional types of data assets are kept.
Popular browsers occasionally have buffer overflow flaws found in them. In November last year, Google patched a similar flaw in Chrome’s desktop version. A buffer overflow flaw was discovered in Apple’s competing Safari browser a few months earlier.