Security Alert: libwebp. Update all your browsers immediately and stay tuned for other 3rd party software updates [SERIOUS]
2 min read
TL;DR: All major browsers are vulnerable, but have had patches available for 2 weeks. Please update your browsers ASAP and enable automatic updates if possible. It is suspected other applications are vulnerable and updates will be coming out soon.
Details
There is a bad vulnerability out there right now. 10/10 CVSS severity score. Simply viewing a malicious image allows the attacker to execute malicious code on your machine. Threat intel has observed this vulnerability being exploited in the wild.
Google actually announced and patched this vulnerability 2 weeks ago. All browsers also got patched within a day or two.
The vulnerability is in libwebp, a common library used by many applications, especially those based on Electron. We don’t know yet the scope of how many applications out there are actually vulnerable yet, but it looks like it could be a lot. Keep a closer eye on your software updates in the coming weeks and install updates as soon as possible.
Minimum safe browser versions: (But you should update to the latest)
Chrome: 117.0.5938.92
Edge: 117.0.2045.31
Firefox: 117.0.1
Brave: 1.57.64
Opera: 102.0.4880.51
Safari: 16.6.1
More information:
https://www.reddit.com/r/sysadmin/comments/16teato/ah_f_cvss_100_dropped_absolute_meltdown_incoming/
https://stackdiary.com/critical-vulnerability-in-webp-codec-cve-2023-4863/
https://blog.isosceles.com/the-webp-0day/
If alerts like these are helpful, let me know and I can look into formalizing these announcements in a subreddit like r/CryptoSecurity or a reddit Collection that pings users who subscribe.
submitted by /u/CryptoMaximalist
[link] [comments]
