09/29/2023

BREAKING ALERT: CVE 2023-4863 WebP Image Library Vulnerability

If exploited, this vulnerability could be quite devastating

The Ohio Society of Association Professionals (OSAP) has recently been contacted by Chubb and informed of a risk that could affect Ohio's nonprofit organizations. Google, Microsoft, Apple, Mozilla, 1Password and others have recently disclosed a maximum severity vulnerability, CVE-2023-4863 , affecting numerous applications using libwebp, a widely-used image handling library.

A number of popular web browsers, including Google Chrome, Microsoft Edge and Mozilla Firefox, the Thunderbird email client, as well as applications using the Electron open-source framework, such as 1Password and Slack, are impacted by this risk.

A list of affected Electron applications can be found here.

If exploited, this vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code on a system running a vulnerable application and, in some cases, without user interaction. Google and Apple are aware of active exploitation of this vulnerability in the wild, including a zero-click compromise of an iPhone running the latest version of iOS (16.6).

This is a global alert. Google, Microsoft, Apple, Mozilla, 1Password and others have released details on the potential impact and advise those affected to apply patches as soon as possible.