Latest news

WebP’s Weak Spot: Unveiling the Hidden Vulnerability

Last month (September 2023), Google reported that a newly discovered security issue in Google Chrome had been found, it described as a ‘heap buffer overflow in WebP within Google Chrome’ and tracked under CVE-2023-4863. This was first thought to be just another minor bug found within the browser – something to be addressed in a future release. 

However, as the root cause was investigated further, it was found that the vulnerability existed not within Chrome, but within the libwebp library itself. This new information allowed security researchers to gain a better understanding of the potential wider impact of the issue and its links to other earlier reported vulnerabilities, including  CVE-2023-41064. 

With the wider impact now better understood, it became apparent that the vulnerability was not just confined to Chrome but had far-reaching consequences due to the widespread use of the WebP format within various applications; including browsers, email clients, mobile apps, and operating systems.

What is libwebp  and why is this a big deal?

The libwebp library is an image processing library, developed by Google and widely used by applications, such as Chrome, to process and render images in the ‘webp’ format.

WebP provides a number of benefits over other more established image formats (such as png, jpg) due to its flexibility in supporting features such as lossy and lossless compression, transparency & animation, making it a popular choice for those software developers wanting to integrate image rendering functionality into their applications and services. 

Typically, you’ll see WebP used in places like:

• Websites: Modern content management systems and web frameworks often provide plugins or tools for serving WebP images. 
• Android Devices: Android 4.2.1 (API level 17) and higher support WebP natively.
• Apple Devices: WebP isnt natively supported, but third-party libraries, such as SDWebImage, provide WebP integration.
• MacOS/Windows: Some modern image editors and viewers support WebP natively. For others, plugins or extensions might be required.

What’s the risk?

The  vulnerability was found to exist within the way the libwebp library handles Huffman coding within the WebP file format. Huffman coding, a method to efficiently represent data, was being mishandled, resulting in a potential buffer overflow. A specially crafted WebP image could exploit this flaw by allowing data to be written beyond the allocated memory space, leading to potential malicious attacks.

In real-world terms, this vulnerability has the potential to allow an attacker to create a specially crafted WebP image containing a malicious payload, which when processed by a vulnerable version of the libwebp library, could lead to the malicious payload being executed on the end users device. 

So, just by viewing an image, your device could be compromised.

Who’s at risk?

The good news? Not everyone! The bad news? Well, it’s a decent chunk of the internet. Vulnerable systems include web browsers, image processors, and applications using specific libraries to handle WebP, affecting all types of device from mobile, to desktop, to smart devices (such as your TV). 

Chances are, if it can be used to view an image, its moire than likely affected.

How can I protect myself from this and other similar vulnerabilities in future?

Well the good news is, there are ways of managing, not only the known risks, but also the unknown risks associated with vulnerabilities of this type.

Patch, Patch, Patch: For the end user, the most powerful tool you have at your disposal patching. It may seem like an overused cliché, but staying up to date with patches and updates is still one of the most powerful tools you have at your disposal for dealing with vulnerabilities and security risks. Vendors, including Google, have started rolling out patches, and it’s crucial to keep your systems updated. 

If there’s an update with a security patch for WebP handling for your application, jump on it like it’s a winning lottery ticket.

For the Tech Professionals amongst us, there are also a number of actions and considerations you can implement to minimise the risk to your systems and end users, including:

• Memory Sanitisation: Developers should sanitise memory allocations, especially when handling external inputs (like WebP files from the internet). This can be achieved through techniques like bounds checking and proper memory management.
• Input Validation: Always validate and sanitise input. Ensure that imported or user supplied media, such as WebP images, conform to expected standards before processing.
• Use a Web Application Firewall (WAF): WAFs can detect and block malicious requests, including those carrying files carrying unwanted surprises, such as malicious code.
• Regular Code Audits: Regularly review and test your code base for vulnerabilities. Automated tools can help, but manual reviews by experienced developers are invaluable.

On the surface of it, these types of vulnerabilities may sound scary – especially when the risks are embellished and exaggerated by those ever diligent news outlets that consider a Twitter post to be a credible source – but remember, by the time the story of a new vulnerability has broken, the software and service providers impacted have been busy behind the scenes working on addressing the risk, with an update or patch following soon after.