[RndTbl] CVE-2023-41064

[Gilbert Detillieux]

On 2023-10-04 8:16 p.m., Trevor Cordes wrote:
> Fun.
> 
> https://www.tenable.com/blog/cve-2023-41064-cve-2023-4863-cve-2023-5129-faq-imageio-webp-zero-days
> 
> If you have an Apple device, it must be updated.  If it's no longer
> supported/updated, throw it away.

See also...

https://www.bleepingcomputer.com/news/security/google-assigns-new-maximum-rated-cve-to-libwebp-bug-exploited-in-attacks/
https://www.bleepingcomputer.com/news/security/apple-backports-blastpass-zero-day-fix-to-older-iphones/

> Anyone can send you a text or imessage (whatever that is) with a crafted
> webp image and p0wn your whole device: no clicks or user interaction
> required.

iMessage is Apple's augmented/proprietary message protocol, which allows 
for multi-media attachments to a text message.  Based on what I read, I 
think the vulnerability in libwebp can only be exploited via iMessage 
and not via SMS text messages to iOS devices (since those wouldn't 
contain images).  Fortunately, you can disable iMessage support in iOS, 
if you don't use it.

> Same bug in Chrome: update your Chrome.  If you cannot on that device
> (i.e. Win7) then throw it away or find a new OS/browser.  But at least
> you'd have to visit a malicious web page.
> 
> Also affects linux webp libraries, so patch your stuff and restart any
> dynamically linked browsers/clients.

Yeah, the list of apps and other frameworks that use libwebp is huge, 
and includes pretty much every modern browser, and even embedded 
mini-browsers to implement OAuth2 and such, if I'm not mistaken.

Even if this isn't as potentially nasty as the iMessage exploit, its 
scope is much larger.

Too bad they don't just give you an option to not load WebP images. 
(Wonder who's using those currently, other than Google?...)

-- 
Gilbert Detillieux          E-mail: Gilbert.Detillieux at umanitoba.ca
Computer Science            Web:    http://www.cs.umanitoba.ca/~gedetil/
University of Manitoba      Phone:  204-474-8161
Winnipeg MB CANADA  R3T 2N2