It’s time to update Google Chrome, Mozilla’s Firefox or Thunderbird, Microsoft Edge, the Brave browser or Tor Browser; web development news site StackDiary has reported a zero-day vulnerability in all six browsers that could allow threat actors to execute malicious code.
Vulnerability originates in WebP reader
Users of the affected browsers should update to the most up-to-date version in order to ensure the zero-day vulnerability is patched on their machines. The problem isn’t with the browsers — the vulnerability originates in the WebP Codec, StackDiary discovered.
Other affected applications include:
- Many Android applications.
- Cross-platform apps built with Flutter.
Apps built on Electron may also be affected; Electron released a patch.
Many applications use the WebP codec and libwebp library to render WebP images, StackDiary noted.
SEE: Check Point Software finds that cybersecurity attacks are coming from both the new school (AI) and the old school ( mysteriously dropped USBs). (TechRepublic)
In more detail, a heap buffer overflow in WebP allowed attackers to perform an out-of-bounds memory write, NIST said. A heap buffer overflow allows attackers to insert malicious code by “overflowing” the amount of data in a program, StackDiary explained. Since this particular heap buffer overflow targets the codec (essentially a translator that lets a computer render WebP images), the attacker could create an image in which malicious code is embedded. From there, they could steal data or infect the computer with malware.
The vulnerability was first detected by the Apple Security Engineering and Architecture team and The Citizen Lab at The University of Toronto on September 6, StackDiary said.
What steps should users take?
Google, Mozilla, Brave, Microsoft and Tor have released security patches for this vulnerability. Individuals running those apps should update to the latest version. In the case of other applications, this is an ongoing vulnerability for which patches may not exist; NIST noted that the vulnerability has not yet received full analysis.
NIST classified the vulnerability as severe and recommends users stop using applications for which a patch is not yet available. Check your application individually as needed.