Earlier this week, a security vulnerability in the WebP codec was disclosed, affecting many applications and operating systems. Web browsers are most at risk, since WebP images are now common across the web, but some applications that support WebP (such as LibreOffice and Telegram) also need to be patched to avoid security problems. Mozilla just rolled out emergency fixes for Firefox and Thunderbird, and now Google Chrome and Chromium-based browsers are being fixed.
Google Chrome has now rolled out a patch for the security flaw in its Stable and Extended stable channels, starting with version 116.0.5845.187 for Mac and Linux and version versions 116.0.5845.187/.188 on Windows. If you manually check for Chrome updates, the update will likely be found and installed. Otherwise, it should be automatically downloaded at some point in the coming days (if it hasn’t already) and prompt you to restart the web browser. The security vulnerability also affects any browsers based on the Chromium project, so Microsoft just released Edge 116.0.1938.81 to fix the same flaw. Vivaldi and Brave Brower are also now rolling out the fix.
The security vulnerability (labelled as CVE-2023-4863) affects libwebp, one of the most common ways for applications to render WebP images. It allows a malicious WebP image to cause a heap buffer overflow, which can potentially be used to take control of your computer. Google says it found the security flaw being exploited in the wild, so it’s important to update as soon as possible.
It’s not clear if Apple’s Safari web browser is directly affected — it may be using a different method to render WebP images. Apple just released updates for iOS 16, iOS 15, watchOS 9, macOS 11 Big Sur, macOS Monterey 12, and macOS 13 Ventura to fix a different security flaw related to images. That security issue, known as CVE-2023-41064, also allowed a buffer overflow issue to execute arbitrary code on the device. The exact technical details are not public to avoid exploits becoming more common, but that specific flaw only affects Apple devices, due to a vulnerability in the ImageIO framework used in Apple’s software.
Source: StackDiary, Vivaldi
