[RndTbl] CVE-2023-41064

Adam Thompson athompso at athompso.net
Thu Oct 5 11:18:41 CDT 2023

What everyone calls SMS almost always includes MMS, which is a layered superset of SMS capabilities (using OTT IP, FWIW).

MMS is capable of sending images.  While they normally get transcoded at least once, and usually 3 times (wtf, I know), it is possible for a sufficiently-sophisticated attacker to send webP images bypassing all the transcoding.  To do so, the attacker would need an SS7 connection, but while expensive, that's not a massive technical hurdle.

So... sadly that's still a zero-click vuln on every cell phone with a carrier that isn't still in the dark ages.


Get Outlook for Android<https://aka.ms/AAb9ysg>
From: Roundtable <roundtable-bounces at muug.ca> on behalf of Gilbert Detillieux <Gilbert.Detillieux at umanitoba.ca>
Sent: Thursday, October 5, 2023 10:48:04 AM
To: Continuation of Round Table discussion <roundtable at muug.ca>
Subject: Re: [RndTbl] CVE-2023-41064

On 2023-10-04 8:16 p.m., Trevor Cordes wrote:
> Fun.
> https://www.tenable.com/blog/cve-2023-41064-cve-2023-4863-cve-2023-5129-faq-imageio-webp-zero-days
> If you have an Apple device, it must be updated.  If it's no longer
> supported/updated, throw it away.

See also...


> Anyone can send you a text or imessage (whatever that is) with a crafted
> webp image and p0wn your whole device: no clicks or user interaction
> required.

iMessage is Apple's augmented/proprietary message protocol, which allows
for multi-media attachments to a text message.  Based on what I read, I
think the vulnerability in libwebp can only be exploited via iMessage
and not via SMS text messages to iOS devices (since those wouldn't
contain images).  Fortunately, you can disable iMessage support in iOS,
if you don't use it.

> Same bug in Chrome: update your Chrome.  If you cannot on that device
> (i.e. Win7) then throw it away or find a new OS/browser.  But at least
> you'd have to visit a malicious web page.
> Also affects linux webp libraries, so patch your stuff and restart any
> dynamically linked browsers/clients.

Yeah, the list of apps and other frameworks that use libwebp is huge,
and includes pretty much every modern browser, and even embedded
mini-browsers to implement OAuth2 and such, if I'm not mistaken.

Even if this isn't as potentially nasty as the iMessage exploit, its
scope is much larger.

Too bad they don't just give you an option to not load WebP images.
(Wonder who's using those currently, other than Google?...)

Gilbert Detillieux          E-mail: Gilbert.Detillieux at umanitoba.ca
Computer Science            Web:    http://www.cs.umanitoba.ca/~gedetil/
University of Manitoba      Phone:  204-474-8161
Winnipeg MB CANADA  R3T 2N2

Roundtable mailing list
Roundtable at muug.ca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://muug.ca/pipermail/roundtable/attachments/20231005/9987c2f6/attachment-0001.htm>

More information about the Roundtable mailing list