Google’s libwebp based zero-day vulnerability is now reassigned to CVE 2023-5129. It is wildly exploited. Attackers are using webp images to transmit malicious codes to extract sensitive information from their victims.
Google released a security fix for a critical vulnerability that affected Google Chrome for Windows, macOS, and Linux. The vulnerability was given the CVE ID as CVE-2023-4863 and has been given a severity of 8.8 (High). On analyzing the vulnerability, it was discovered that a heap buffer overflow vulnerability existed in the libwebp library that a threat actor can exploit to perform out-of-bounds memory write via a crafted HTML page. However, this vulnerability was resubmitted by Google, which is now tracked as CVE-2023-5129. It was later found that CVE-2023-41064 and this vulnerability were similar and affected the same libwebp library. Threat actors exploited this particular library during the BLASTPASS exploit chain attack for deploying the NSO’s Pegasus Spyware. Though both of these vulnerabilities had different CVE IDs and were released by different vendors, they both affect the same library. Increased vendors are trying to address this security vulnerability by making patches available for the organizations and developers dependent on the libwebp library since threat actors are actively exploiting the vulnerability worldwide across millions of end users that are using the above mentioned software that have libwebp library.
We recommend all the businesses who use libewebp library to upgrade their code to libwebp version 1.3.2 or later
We also recommend all our partners and customers keep their web browsers periodically updated to prevent exposure to the said vulnerability. According to the analysis of the said vulnerability it was found that it is a vulnerability that had risen in the component of open source libwebp library.
The Huffman coding algorithm, often used for lossless compression had a heap buffer issue that caused this vulnerability to arise.