WebP Vulnerability Affects Every Major Browser – Here’s What You Should Do

A vulnerability has been discovered in an open-source code base responsible for compressing image files, impacting the security of most major web browsers and thousands of web applications.

In September, security researchers from Apple and an academic lab at The University of Toronto disclosed a vulnerability in WebP, which is widely used in many products. Web browsers like Google’s Chrome and Mozilla Firefox, various features in Apple’s iOS, and eight different distributions of the Linux operating system all use WebP. 

When it was first disclosed, this vulnerability was thought to only affect Chrome. However, other security researchers dug deeper and found that it affected WebP, which makes the vulnerability one of the most widespread security issues discovered this year.  

The vulnerability (CVE-2023-4863) carries a “high” severity score of 8.8/10, as it could allow for remote code execution through specially crafted images with no authentication or user interaction. The Cybersecurity & Infrastructure Security Agency (CISA) issued a security release after the vulnerability was found to be exploited in the wild. 

Apply These Patches Now 

One simple solution to this widespread vulnerability is to update all major web browsers and applications that are attached to network endpoints. 

Browsers that have confirmed a fix and released an update include: 

• Google Chrome
• Mozilla Firefox
• Apple Safari
• Microsoft Edge
• Brave
• Opera

Other popular applications that have issued a patch include: 

• 1Password
• Signal Desktop
• Asana
• Microsoft Teams
• Microsoft Skype

A larger list of impacted applications can be found on GitHub. 

Is There Anything Else I Can Do? 

Depending on the level of application development inside your organization, you might want to speak with your security lead about further investigations. 

Software supply chain company Rezilion performed a deep technical analysis that found it’s possible that a vulnerability scanner may not flag any issues tied to this particular vulnerability due to some red tape on how CVEs are established. The National Institute of Standards and Technology (NIST), which runs the CVE database, has been ironing out the issues behind the scenes since the scanner issue came to light. 

If your business deploys a vulnerability scanner that automatically scrapes the newest information from the database, you may be in the clear. But taking provisional measures beyond your tools may be well worth the effort given the severity of this vulnerability. 

If you are an At-Bay broker or policyholder with questions or concerns regarding the WebP vulnerability, please contact our Security team at security@at-bay.com.