2nd Edition

Tracking the trends and news for IT and IT Security

Paul Davis

This zero-day vulnerability could be used to hack iPhone, Android, Chrome and many other program…

This zero-day vulnerability could be used to hack iPhone, Android, Chrome and many other program…>

Google has identified a new security vulnerability in the libwebp image library, which is used for displaying WebP format images.
This vulnerability has been exploited by malicious users.
Google released a security update to fix a major vulnerability found in Google Chrome for Windows, macOS, and Linux, assigning it the CVE ID CVE-2023-4863 with a severity rating of 8.8 (High).
The vulnerability analysis revealed a heap buffer overflow vulnerability in the libwebp library.
This flaw allows threat actors to trigger the issue by using a crafted HTML page to perform an out-of-bounds memory write.
Google has reported another vulnerability, now known as CVE-2023-5129, related to the same libwebp library.
Further investigation led to the discovery of CVE-2023-41064, which also affected the libwebp library.
Apple, Google, and Mozilla provided fixes for a flaw that could execute arbitrary code when processing a carefully crafted image.
This bug is tracked separately as CVE-2023-41064 and CVE-2023-4863.
Both vulnerabilities are likely related to the same underlying issue in the library.
CVE-2023-41064 is allegedly associated with CVE-2023-41061 as part of a clickless iMessage attack chain called BLASTPASS, which delivers the mercenary malware Pegasus, according to Citizen Lab.
However, there are no further technical details available at this time.
The decision to classify CVE-2023-4863 as a vulnerability in Google Chrome contradicts its broader impact on other programs using the libwebp library, suggesting a wider scope than initially believed.
The vulnerabilities CVE-2023-4863 and CVE-2023-41064 were discovered by a security researcher and reported to both Google and Apple, resulting in the creation of separate CVEs.
Rezillion’s investigation identified numerous software programs, code libraries, frameworks, and operating systems vulnerable to CVE-2023-4863.
The security researcher involved is an expert in mobile security and malware analysis, with experience in the field since 2003.
They have worked for cybersecurity companies such as Kaspersky Lab and possess a deep level of knowledge in mobile security and vulnerabilities.
Link: https://www.memesita.com/this-zero-day-vulnerability-could-be-used-to-hack-iphone-android-chrome-and-many-other-programs/

Categories:

Tags: