On 2023-10-04 8:16 p.m., Trevor Cordes wrote:
Fun.
https://www.tenable.com/blog/cve-2023-41064-cve-2023-4863-cve-2023-5129-faq-...
If you have an Apple device, it must be updated. If it's no longer supported/updated, throw it away.
See also...
https://www.bleepingcomputer.com/news/security/google-assigns-new-maximum-ra... https://www.bleepingcomputer.com/news/security/apple-backports-blastpass-zer...
Anyone can send you a text or imessage (whatever that is) with a crafted webp image and p0wn your whole device: no clicks or user interaction required.
iMessage is Apple's augmented/proprietary message protocol, which allows for multi-media attachments to a text message. Based on what I read, I think the vulnerability in libwebp can only be exploited via iMessage and not via SMS text messages to iOS devices (since those wouldn't contain images). Fortunately, you can disable iMessage support in iOS, if you don't use it.
Same bug in Chrome: update your Chrome. If you cannot on that device (i.e. Win7) then throw it away or find a new OS/browser. But at least you'd have to visit a malicious web page.
Also affects linux webp libraries, so patch your stuff and restart any dynamically linked browsers/clients.
Yeah, the list of apps and other frameworks that use libwebp is huge, and includes pretty much every modern browser, and even embedded mini-browsers to implement OAuth2 and such, if I'm not mistaken.
Even if this isn't as potentially nasty as the iMessage exploit, its scope is much larger.
Too bad they don't just give you an option to not load WebP images. (Wonder who's using those currently, other than Google?...)