The main characteristics of this vulnerability are detailed below: The Chromium team has already reported the exploitation of this zero-day in the wild, so it is recommended to update affected products as soon as possible. This vulnerability not only affects the Mozilla Firefox browser or others based on Chromium (Google Chrome, Microsoft Edge, Opera, Vivaldi, Brave, …) but also affects applications such as Thunderbird, Honeyview, Signal Electron, Affinity, Gimp, Inkscape, LibreOffice, Telegram, ffmpeg or 1Password, among others. The problem lies in the fact that this function allocates extra memory if the existing table is not large enough for the input data, allowing arbitrary data to be written outside of the bounds set in memory, when processing a malicious WebP image, which can lead to arbitrary code execution. The CVE-2023-4863 vulnerability can be found in this library, specifically in the BuildHuffmanTable function used to validate the input data. Google developed an open source library for manipulating images in WebP format, known as Libwebp, providing tools and functionality for encoding and decoding images in this format. Thanks to WebP, developers and webmasters have the ability to generate more compact, high-quality images, which leads to a significant improvement in the loading speed of web pages. WebP is an image format that offers superior lossless and lossy compression for images on the Web. On September 6th, 2023 Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at the University of Toronto reported a critical vulnerability affecting an image compression library used in Chromium and other software solutions that support WebP images. The vulnerability CVE-2023-4863 is found in the open source Libwebp library and affects browsers such as Mozilla, Chrome and Edge
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |