What everyone calls SMS almost always includes MMS, which is a layered superset of SMS capabilities (using OTT IP, FWIW).
MMS is capable of sending images. While they normally get transcoded at least once, and usually 3 times (wtf, I know), it is possible for a sufficiently-sophisticated attacker to send webP images bypassing all the transcoding. To do so, the attacker would need an SS7 connection, but while expensive, that's not a massive technical hurdle.
So... sadly that's still a zero-click vuln on every cell phone with a carrier that isn't still in the dark ages.
-Adam
Get Outlook for Androidhttps://aka.ms/AAb9ysg ________________________________ From: Roundtable roundtable-bounces@muug.ca on behalf of Gilbert Detillieux Gilbert.Detillieux@umanitoba.ca Sent: Thursday, October 5, 2023 10:48:04 AM To: Continuation of Round Table discussion roundtable@muug.ca Subject: Re: [RndTbl] CVE-2023-41064
On 2023-10-04 8:16 p.m., Trevor Cordes wrote:
Fun.
https://www.tenable.com/blog/cve-2023-41064-cve-2023-4863-cve-2023-5129-faq-...
If you have an Apple device, it must be updated. If it's no longer supported/updated, throw it away.
See also...
https://www.bleepingcomputer.com/news/security/google-assigns-new-maximum-ra... https://www.bleepingcomputer.com/news/security/apple-backports-blastpass-zer...
Anyone can send you a text or imessage (whatever that is) with a crafted webp image and p0wn your whole device: no clicks or user interaction required.
iMessage is Apple's augmented/proprietary message protocol, which allows for multi-media attachments to a text message. Based on what I read, I think the vulnerability in libwebp can only be exploited via iMessage and not via SMS text messages to iOS devices (since those wouldn't contain images). Fortunately, you can disable iMessage support in iOS, if you don't use it.
Same bug in Chrome: update your Chrome. If you cannot on that device (i.e. Win7) then throw it away or find a new OS/browser. But at least you'd have to visit a malicious web page.
Also affects linux webp libraries, so patch your stuff and restart any dynamically linked browsers/clients.
Yeah, the list of apps and other frameworks that use libwebp is huge, and includes pretty much every modern browser, and even embedded mini-browsers to implement OAuth2 and such, if I'm not mistaken.
Even if this isn't as potentially nasty as the iMessage exploit, its scope is much larger.
Too bad they don't just give you an option to not load WebP images. (Wonder who's using those currently, other than Google?...)
-- Gilbert Detillieux E-mail: Gilbert.Detillieux@umanitoba.ca Computer Science Web: http://www.cs.umanitoba.ca/~gedetil/ University of Manitoba Phone: 204-474-8161 Winnipeg MB CANADA R3T 2N2
_______________________________________________ Roundtable mailing list Roundtable@muug.ca https://muug.ca/mailman/listinfo/roundtable