Security researchers are reporting that a vulnerability that affects a wide range of software, including web browsers, requires immediate attention by end users and IT staff.
Libwebp: A ubiquitous code library
- WebP is a format for images designed by Google that allows pictures to be compressed to smaller files (such as PNG or JPEG) so that they can render quickly in the browser without losing quality.
- Libwebp is a code library that applications can use to process WebP images.
- Libwebp may be exploited to execute arbitrary code, which can compromise the device on which it is running.
- The bug can sometimes be triggered without user interaction, when the application receives a malicious image.
How do I know if I have libwebp in my environment?
Because code libraries may be shared (provided as part of your operating system, and used by applications as needed) or built into the application, it is impractical to list all the software which may be affected. Some products, such as Chrome and Safari, have been updated to mitigate this vulnerability. However, it is highly likely that embedded or proprietary software, IoT devices, and manually installed software which doesn’t get automatic updates will still be vulnerable.
Other applications known to use or include libwebp include the following:
- Gimp
- Libreoffice
- 1Password
- Signal
- ffmpeg
- Telegram
- Slack
- Microsoft Teams
These are just examples; the list is not exhaustive. A longer (but also not exhaustive) list may be found here.
What should I do about this?
End users in the UW community
Enable automatic updates on all your devices. Ensure that updates are enabled both for the operating system and for any plugins, apps, or other software that you have installed.
IT professionals
- The general defense against this type of vulnerability is to have an inventory of your software products and a lifecycle plan for each of them.
- Enabling automatic updates for all software products is ideal.
- A software inventory is critical, particularly for any custom or manually-installed packages that may not get automatic updates. You cannot manage what you don’t know you have.
- In managed environments where automatic updates are not practical, a plan for application of updates on a schedule (at least monthly is suggested) is paramount.
- In addition to a regular schedule, have a process in place for pushing critical updates such as this one on demand.
- For embedded or IoT devices, contact your vendor and determine how updates are handled and distributed.
- Know the lifecycle policy of each of your software vendors, and make plans to isolate any devices which must be kept in service beyond their end-of-life support.
Where can I get help?
If you would like general assistance with lifecycle planning, asset inventory, or risk management, please contact us at ciso@uw.edu.
References
Bleeping Computer: Google assigns new maximum rated CVE to libwebp bug exploited in attacks
Isosceles blog: The WebP 0-day
Ars Technica: Incomplete disclosures by Apple and Google create “huge blindspot” for 0-day hunters
StackDiary: Critical WebP bug: many apps, not just browsers, under threat