Update Your Browsers Immediately. Rce Vulnerability Discovered (nvd.nist.gov)
from VitabytesDev@feddit.nl to technology@lemmy.world on 29 Sep 2023 15:41
https://feddit.nl/post/4024540

Any Chromium and Firefox browser prior to version 116 will be vulnerable to this, update your browsers.

#technology

threaded - newest

eumesmo@lemmings.world on 29 Sep 2023 15:43 next collapse

What about webview-based browsers in android phones?

Bipta@kbin.social on 29 Sep 2023 16:28 next collapse

As far as I'm aware this does affect Android and is not currently fixed. It's expected to be fixed in the October security patch.

This is just my memory of reading weeks ago. Someone else may know better.

9point6@lemmy.world on 29 Sep 2023 16:33 next collapse

The Android webview is updated through the play store as of a few years ago

Bipta@kbin.social on 29 Sep 2023 18:00 collapse

I believe the libwebp is implemented at the OS level. Again someone else may know better.

TakingOnWater@lemmy.world on 30 Sep 2023 20:47 collapse

So if the phone gets a security update for this at the OS level, should we theoretically be safe to use apps with any sort of browser functionality? Like some apps that don’t update, or are no longer being maintained, etc

GamingChairModel@lemmy.world on 30 Sep 2023 15:15 collapse

This isn’t just a browser vulnerability. It’s a vulnerability at a much more fundamental level, which is why it’s so critical. It’s a vulnerability in how almost every piece of software processes a widely supported image format, so anything that touches images is potentially at risk: browsers, chat or messaging apps, file browsers, or really anything that uses thumbnails or image previews, including some core OS functionality. On the server side, you’ve got anything that makes thumbnails and previews, too.

We should wait and see whether there are any practical attacks outside the browser context (maybe the malicious code needs to be placed in a web page that displays the malicious image file, or maybe they need to figure out a way to actually put all the malicious code in the image file itself). But the vulnerability itself is in a fundamental library used by a lot more software.

shortwavesurfer@monero.town on 29 Sep 2023 15:44 next collapse

Well, i think firefox 117 fixed that webp issue so i am on that one.

joyjoy@lemm.ee on 29 Sep 2023 16:12 collapse

Specifically 117.0.1 (117.1 on android)

shortwavesurfer@monero.town on 29 Sep 2023 16:14 next collapse

Yep. Fennec F-Droid 117.1.0

tabular@lemmy.world on 29 Sep 2023 22:13 collapse

On the topic of Fennec F-Droid why does it still connect to various Mozilla and Google services that can track users? Is there an F-Droid browser which doesn’t?

shortwavesurfer@monero.town on 29 Sep 2023 23:49 next collapse

Try mull. I have heard its set to be more strict by default.

glacier@lemmy.blahaj.zone on 30 Sep 2023 00:22 collapse

Probably so it can still support FireFox sync.

ForestOrca@kbin.social on 29 Sep 2023 16:22 collapse

Good to go. Always roll with the latest version. 118.0.1

c10l@lemmy.world on 29 Sep 2023 16:24 collapse

Latest is 118.0.1.

ripcord@kbin.social on 29 Sep 2023 23:54 next collapse

Ok, but the latest is 118.0.1

c10l@lemmy.world on 30 Sep 2023 00:25 collapse

Yeah now that the parent edited their comment, mine looks silly.

ripcord@kbin.social on 30 Sep 2023 02:00 collapse

:)

Classy@sh.itjust.works on 30 Sep 2023 14:24 collapse

118.1.0, actually?

<img alt="" src="https://sh.itjust.works/pictrs/image/60f1cdd2-744b-41f7-8f88-f2333f51ce22.webp">

c10l@lemmy.world on 03 Oct 2023 10:57 collapse

Erm, no. 118.0.1 like I said. Released in 28/09. www.mozilla.org/en-US/firefox/…/releasenotes/

TylerDurdenJunior@lemmy.ml on 29 Sep 2023 16:15 next collapse

idk. The post content was not in all caps, so I am not really sure about the urgency

cheese_greater@lemmy.world on 29 Sep 2023 16:58 next collapse

What actual like platforms does this affect and to what extent tho? Like Mac (probably not iOS which is WebKit)?

Th3D3k0y@lemmy.world on 29 Sep 2023 17:40 next collapse

Current Description

Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

cheese_greater@lemmy.world on 29 Sep 2023 18:21 collapse

By crafter webpage, does it mean it refers to anything like phishing or something a more savvy user wouldn’t likely “fall for” or does that actually not matter (zero-day or whatever)

Feathercrown@lemmy.world on 29 Sep 2023 18:37 collapse

Looks like it can do RCE without user interaction other than visiting the page-- not good!

towerful@programming.dev on 29 Sep 2023 18:44 next collapse

I’ve read elsewhere it’s actually a problem with libwebp not just chrome.
Basically, anything that relies on libwebp (ie can play libwebp) is vulnerable.
snyk.io/blog/critical-webp-0-day-cve-2023-4863/

cheese_greater@lemmy.world on 29 Sep 2023 18:56 collapse

I wonder if it applies to devices using LockDown mode, thats shuts down a lot of nonsense in its own right…

towerful@programming.dev on 29 Sep 2023 19:26 collapse

techtarget.com/…/Browser-companies-patch-critical…

Citizen Lab said Blastpass was discovered on the device of an employee with “a Washington DC-based civil society organization” and that it could be mitigated by Apple’s Lockdown Mode. An investigation into the exploit chain continues, but researchers said it involved “PassKit attachments containing malicious images sent from an attacker iMessage account to the victim.”

Edit:

Fuck my reading skill (or fuck articles listing multiple high profile CVEs)…
Blastpass is not the same libwebp CVE (blastpass, the iMessage thing, is CVE-2023-41064. libwebp is CVE-2023-4863 - although that is the chrome one, despite this affecting libwebp not chrome).

I think the whole situation is very rapidly being researched and it’s all developing.
So, no idea if lockdown mode would have any effect

cheese_greater@lemmy.world on 29 Sep 2023 22:31 collapse

Good, I’m so fucking tired of this bullshit.

towerful@programming.dev on 29 Sep 2023 23:05 collapse

Nah, this bullshit is progress.
The root of this problem has always existed. Exploits have always been there, mistakes have always been there. These things are fundamentally unavoidable.
Acknowledging then, documenting them is new. Sensible disclosure is new. Companies paying for these bug bounties before they are publicly disclosed (so they can be fixed) is new.
And it’s awesome. It’s security. It’s people working together for the betterment of everyone.

It would be amazing if people didn’t make mistakes. But that isn’t possible.
Openess, honesty and quickly remedying of issues is possible, and it’s laudable.

So yeh, next time you get an annoying update that interrupts you’re workflow. Please understand the work and reason behind the update. You can still be pissed at the interruption, but please appreciate the human reason for it.

Edit: I read “good” as “god”. Idk if that changes anything

cheese_greater@lemmy.world on 30 Sep 2023 00:01 collapse

I def agree with the openess tenor of your reply. People and companies (since companies technically “are” people) need to stop valuing pride over security and safety and all the good stuff of life. Like, just fix the damn cancer, stop trying to hide it and cut off the progrssively more necrotic limbs to save face.

We don’t disagree on anything, I was perhaps inelegant and non-specific in my invective.

towerful@programming.dev on 30 Sep 2023 00:53 collapse

since companies technically “are” people

This wording is some legal loophole bullshit.
I have tried to word something that disagrees with this for 30m. I can’t figure it out.
This is bullshit.
But this “company is person” tries to re-humanise corporations. I think. Or something.

Have some ranting…

A company is a group of people working in the interest of themselves.
A person is generally working in the interest of themselves.
A group of people always has more power than a single person, and thus should be held to a higher standard.

It seems like Google is taking this seriously… now (assigning a 10.0. The next highest is an 8.8 for $15k). But it seems like the cve is still assigned to chrome, as opposed to libwebp (where the actual vulnerability is)

And while I appreciate the publication - the fact its a 0-day publication (as opposed to “we patched this 6 months ago”) means Google hasn’t taken it seriously previously (or it’s be found exploited in the wild)

[deleted] on 30 Sep 2023 02:45 collapse

.

Phen@lemmy.eco.br on 29 Sep 2023 22:27 next collapse

Discord, slack, MS Teams, Steam, pretty much anything. But most of them have already fixed it so if you let stuff update itself frequently, there’s little risk.

GamingChairModel@lemmy.world on 30 Sep 2023 14:45 collapse

Apple also released urgent out-of-band security patches for iOS and MacOS around the same time, and disclosed that it had something to o do with imag processing. Unclear whether they use libwebp or some other implementation, but they disclosed that it was being actively exploited on iPhones.

padjakkels@lemmy.world on 29 Sep 2023 17:01 next collapse

Click bait much???

CrayonRosary@lemmy.world on 29 Sep 2023 17:32 collapse

How is this clickbait? The all-caps is a bit much, but the title contains everything you need to know. There’s nothing remotely clickbaity about it.

VitabytesDev@feddit.nl on 29 Sep 2023 18:40 collapse

Ah, yes sorry for the all-caps title. I just wanted to seem a bit urgent.

computergeek125@lemmy.world on 29 Sep 2023 20:52 next collapse

Not gonna lie the all caps made it seem less urgent because I’m so used to dealing with click bait

BorgDrone@lemmy.one on 29 Sep 2023 23:32 collapse

I just wanted to seem a bit urgent.

It was kinda urgent two and a half weeks ago when this was first published. Now, not so much,

VitabytesDev@feddit.nl on 30 Sep 2023 07:20 collapse

Two and a half weeks ago? I learned about it yesterday. Sorry for bothering you then.

pastermil@sh.itjust.works on 29 Sep 2023 19:04 next collapse

I read this as RICE vulnerability and was confused

PeWu@lemmy.ml on 30 Sep 2023 00:12 next collapse

Yeah, Linux boys would be mad

Turun@feddit.de on 30 Sep 2023 00:32 collapse

No, how could I be mad about the truth? We’d download and run any dotfiles if the screenshot looks nice enough.

cheese_greater@lemmy.world on 30 Sep 2023 15:18 collapse

Imma let you get to that soon but we all know RCE vulnerabillities really won the night here

treadful@lemmy.zip on 29 Sep 2023 19:35 next collapse

There’s a more recent CVE as well for FF that was patched in 118.0.1: CVE-2023-5217: Heap buffer overflow in libvpx

Buelldozer@lemmy.today on 29 Sep 2023 19:44 next collapse

This is way way wider than just browsers. Anything that can display webp images is vulnerable and that includes things like MS Teams and Twitch.

Lantern@lemmy.world on 30 Sep 2023 02:24 next collapse

Further solidifying webp as the worst image format.

chameleon@kbin.social on 30 Sep 2023 03:03 next collapse

The current advisory is in webm (VP8 specifically). The webp one was 2 weeks ago. ...yeah, not a good time for web browsers lately...

(edit: noticed OP actually did link the webp one, I thought it'd be CVE-2023-5217 because that's being linked elsewhere)

jackpot@lemmy.ml on 30 Sep 2023 03:38 next collapse

whats wrong with it

CmdrShepard@lemmy.one on 30 Sep 2023 05:13 next collapse

Try linking one and sending it to someone else. I tried it and the recipient died two days later.

PurpleTentacle@sh.itjust.works on 30 Sep 2023 06:24 next collapse

That’s weird, doesn’t it usually take seven?

static.wikia.nocookie.net/thering/…/latest?cb=202…

jackpot@lemmy.ml on 30 Sep 2023 12:11 collapse

jokes aside what is bad with it

Lantern@lemmy.world on 30 Sep 2023 14:00 next collapse

It’s a format that most major image editors don’t support. Basically, if you wanted to do anything with it, you need to first convert it to a different format. It’s the only format that has this problem.

ipkpjersi@lemmy.ml on 30 Sep 2023 15:05 next collapse

That’s fair except it’s not the only format that has this problem. There’s JPEG 2000 and AVIF which have even less image editor support.

Lantern@lemmy.world on 30 Sep 2023 22:09 collapse

I had meant to say common format. I’ve never encountered a JPEG 2000.

glad_cat@lemmy.sdf.org on 05 Oct 2023 11:19 collapse

I’m old enough to remember when the same argument was made for PNG files. It’s a stupid argument.

Lantern@lemmy.world on 05 Oct 2023 15:02 collapse

WEBP is 13 years old at this point and lacks the support that PNG had 3 years into its lifetime. The benefits are marginal, and without platform support it can’t catch on. Do your research before calling someone else’s argument stupid.

SnowdenHeroOfOurTime@unilem.org on 30 Sep 2023 15:14 next collapse

I think most people dislike it because Google made it. Google is evil as fuck, but it’s a damn good image format, obviously so since it’s way smaller for the same visuals compared to the older formats, plus it supports transparency. Google is evil but still makes good software sometimes.

gamer@lemm.ee on 30 Sep 2023 15:44 collapse

There’s some politics involved. Basically, everyone is rallying behind JPEGXL instead of WebP, but Google refuses to support JPEGXL in Chrome. The reasoning they gave is weak, so it’s assumed that they’re just trying to force the format they invented on everyone because they can.

IIRC, performance of the two formats is similar.

Dark_Arc@social.packetloss.gg on 30 Sep 2023 15:50 next collapse

“everyone”

jackpot@lemmy.ml on 30 Sep 2023 16:23 next collapse

why does everyone like jpegxl and why does google care if it’s foss

GamingChairModel@lemmy.world on 30 Sep 2023 19:27 collapse

JPEG XL, like AVIF and HEIC and WebP, is basically a next generation format that supports much higher quality at lower file sizes compared to JPEG and PNG.

Among those four formats, JPEG XL is promising because it allows for recompression of JPEG losslessly. That means if you take an image that was already encoded as JPEG (as the vast, vast majority of images are), you can recompress with no additional loss in quality from the conversion. That’s something that isn’t true of the others.

JPEG XL also has a much higher maximum quality and specific features great for high quality image workflows (like for professional photographers, publishers, and those who need to print images). WebP, AVIF, and HEIC are good for sharing on the web, but the printing and publishing workflow support requires a few more conversions along the way.

I thought this blog post by a cloud image delivery network that played a big role in developing JPEG XL was pretty persuasive, even if they had a direct interest in JPEG XL adoption.

Vub@lemmy.world on 30 Sep 2023 19:43 collapse

But aren’t jpegxl and webp meant for completely different uses? Like jpeg and png are. Jpeg is better for photos and png for graphics.

Also using “XL” in a name for an encoding which does better compression was not the smartest idea, that will surely confuse many users.

GamingChairModel@lemmy.world on 02 Oct 2023 01:07 collapse

But aren’t jpegxl and webp meant for completely different uses? Like jpeg and png are. Jpeg is better for photos and png for graphics.

No. JPEG XL is designed to be better at pretty much everything than webp (which was just adapted from a video format that was designed to be really efficient at video but without touching any patents). JPEG is best at photographs at screen resolutions, and PNG is best for screenshots of computer interfaces with lots of repeated colors, and DNG/TIFF are great for high resolution and bit depth (like for professional printing and publishing, or raw image capture from the camera). JPEG XL does a good job at all of those.

Vub@lemmy.world on 02 Oct 2023 04:29 collapse

Thank you. It would be nice with one format to replace them all.

TwoGems@lemmy.world on 01 Oct 2023 02:00 collapse

Exactly why WebP is shit, and Google literally owning everything shouldn’t be normalized.

synceDD@lemmy.world on 30 Sep 2023 13:59 next collapse

? I dont like it because I’m uneducated so it’s bad, average voter

gamer@lemm.ee on 30 Sep 2023 15:37 collapse

Lazy motherfuckers on this site can’t even use proper grammar when being a snarky asshole. That shit you wrote is barely coherent.

synceDD@lemmy.world on 30 Sep 2023 16:06 collapse

Your low intelligence is none of my concern

Lucidlethargy@sh.itjust.works on 30 Sep 2023 17:40 collapse

WebP is currently the smallest and highest quality format accepted by browsers today. I have no idea why you think so negatively of it, but it’s irreplaceable until something better is widely adopted, and thus viable.

It’s the best format for websites as of this exact moment.

Espi@lemmy.world on 30 Sep 2023 17:50 next collapse

AVIF is supported everywhere and it’s fantastic

mlg@lemmy.world on 30 Sep 2023 18:52 next collapse

Highest compression, not highest quality (arguably).

Also heavy compression which takes more resources to display.

Also poor compatibility outside browsers.

afaik it’s basically still just VP8 in image format with added metadata, and google refuses to support alternatives because they like to own the browser market.

I think there was gonna be a webp and webm 2, but it never happened.

CriticalMiss@lemmy.world on 30 Sep 2023 21:03 collapse

The only reason that’s the case is because Google axed the JPEGXL implementation

seaQueue@lemmy.world on 30 Sep 2023 03:31 collapse

It’s the full disclosure of the ImageIO webp vuln from last week, this is the root cause.

bappity@lemmy.world on 29 Sep 2023 21:32 next collapse

AGAIN?

dublet@lemmy.world on 30 Sep 2023 00:59 next collapse

<img alt="Not another one" src="https://media.tenor.com/images/b1e52a48360f70987e676d46d2a6b07d/tenor.gif">

seaQueue@lemmy.world on 30 Sep 2023 03:30 next collapse

It’s last week’s big libwebp vulnerability again.

Edit: this underlying vuln is why last week’s CVE was such a big deal, anything using webp is at risk including a whole big pile of electron apps that everyone uses.

bappity@lemmy.world on 30 Sep 2023 04:08 collapse

oh >_>

GamingChairModel@lemmy.world on 30 Sep 2023 14:32 collapse

Sorta. OP just linked the full disclosure of the libwebp vulnerability that made the news 2 weeks ago.

But there’s an even more recent vulnerability in libvpx that was announced this week, that is similar in a lot of ways (including severity).

Vub@lemmy.world on 30 Sep 2023 19:48 next collapse

Not sure why you only mention Chromium and Firefox in the post text, I can only assume this vulnerability affects ALL browsers. Safari (WebKit based) is, as far as I know, the second most used browser in the world.

dwokimmortalus@lemmy.world on 01 Oct 2023 08:39 collapse

It’s anything implementing .webp support. Though the CVE has been out for nearly two weeks already so most apps have been patched.

marius851000@lemmy.mariusdavid.fr on 02 Oct 2023 09:50 collapse

Actually, it’s specific to libwebp, but many things that decode webp just use this library (for example, decoding webp with the “image” rust crates doesn’t use libwebp. It does use it for encoding thought).

nostradiel@lemmy.world on 30 Sep 2023 20:23 collapse

I found these alerts so hilarious… You have no idea how many vulnerabilities are discovered by grey/blackhat hackers. Even whitehat working for the governments or contractors not reporting it to have more variety of back doors.

But ok… Update and “be” protected. 🤣

CriticalMiss@lemmy.world on 30 Sep 2023 21:05 collapse

Yes but this is a vulnerability now open to the public that script kiddies are going to utilize so unless you want your data grabbed by a 14yo larper for opening an image in your browser update your browser

bobman@unilem.org on 01 Oct 2023 01:04 collapse

Why are script kiddies always, kids?

Not a single child I knew growing up knew how to program.

StinkyRedMan@lemmy.world on 01 Oct 2023 01:51 next collapse

That’s the point, script kiddies refers to young peoples with low to no technical knowledge using tools made by other peoples.

bobman@unilem.org on 01 Oct 2023 07:10 collapse

But that’s why it’s misleading.

Most of the people writing these scripts to exploit known vulnerabilities are not young. It’s just an insult to people who write scripts.

kevinbacon@lemmy.world on 01 Oct 2023 07:31 collapse

The skiddies are the ones using the scripts, not the ones writing them…

bobman@unilem.org on 01 Oct 2023 07:33 collapse

Right. Using/writing, my point still stands that most of them are not kids. It’s just an insult because it doesn’t require much effort, but has nothing to do with youth.

Nice ellipses, though. Makes me know you’re not really worth listening to.

kevinbacon@lemmy.world on 01 Oct 2023 12:52 collapse

Your “point” isn’t one, the fact that you don’t seem to comprehend that makes me sure you have brain problems.

bobman@unilem.org on 01 Oct 2023 16:35 collapse

What are you talking about?

most of them are not kids

How is that not a point? Lol.

the fact that you don’t seem to comprehend that makes me sure you have brain problems.

Ahh, you must be mad because I called out ellipses as a tool for smug idiots who don’t know what they’re talking about.

[deleted] on 01 Oct 2023 17:01 collapse

.

bobman@unilem.org on 01 Oct 2023 17:44 collapse

Lol, what?

tard

First of all, leave the derogatory terms at home. All it does is make you look unreasonable and illogical, just like using smug ellipses.

Nobody said they were

Err… my entire point from the beginning has been focused on the term ‘kiddies.’

Lol. You seem unreasonably upset for no apparent reason. I’m gonna block you now.

Have a nice life, kid.

AnarchistArtificer@lemmy.world on 01 Oct 2023 15:26 collapse

I think the term is as much a comment on maturity as it is literal age.

bobman@unilem.org on 01 Oct 2023 16:36 collapse

That’s the thing. It’s a comment on maturity, not literal age.