Google has assigned a brand new CVE ID (CVE-2023-5129) to a libwebp safety vulnerability exploited as a zero-day in assaults and patched two weeks in the past.
The corporate initially disclosed the flaw as a Chrome weak spot, tracked as CVE-2023-4863, slightly than assigning it to the open-source libwebp library used to encode and decode photos in WebP format.
This zero-day bug was collectively reported by Apple Safety Engineering and Structure (SEAR) and the Citizen Lab at The College of Toronto’s Munk College on Wednesday, September 6, and glued by Google lower than every week later.
Safety researchers at Citizen Lab have a longtime monitor file of detecting and revealing zero-days which were abused in focused adware campaigns, usually linked to state-sponsored menace actors primarily focusing on high-risk people corresponding to journalists and opposition politicians.
The choice to tag it as a Chrome bug brought about confusion throughout the cybersecurity group, prompting questions concerning Google’s option to categorize it as a Google Chrome concern slightly than figuring out it as a flaw in libwebp.
Safety consulting agency founder Ben Hawkes (who beforehand led Google’s Challenge Zero staff) additionally linked CVE-2023-4863 to the CVE-2023-41064 vulnerability addressed by Apple on September 7 and abused as a part of a zero-click iMessage exploit chain (dubbed BLASTPASS) to contaminate totally patched iPhones with NSO Group’s Pegasus business adware.
New most severity CVE
Nonetheless, it has now assigned one other CVE ID, CVE-2023-5129, marking it as a vital concern in libwebp with a most 10/10 severity ranking. This transformation has vital implications for different tasks utilizing the libwebp open-source library.
Now formally acknowledged as a libwebp flaw, it includes a heap buffer overflow in WebP, impacting Google Chrome variations previous 116.0.5845.187.
This vulnerability resides throughout the Huffman coding algorithm utilized by libwebp for lossless compression and it permits attackers to execute out-of-bounds reminiscence writes utilizing maliciously crafted HTML pages.
Any such exploit can have extreme penalties, from crashes to arbitrary code execution and unauthorized entry to delicate data.
The reclassification of CVE-2023-5129 as a libwebp vulnerability holds explicit significance because of it initially going unnoticed as a possible safety menace for quite a few tasks utilizing libwebp, together with 1Password, Sign, Safari, Mozilla Firefox, Microsoft Edge, Opera, and the native Android net browsers.
The revised vital ranking underscores the significance of promptly addressing the safety vulnerability (now tracked underneath a number of CVE IDs with completely different severity scores) throughout these platforms to make sure customers’ information safety.
A Google spokesperson was not instantly accessible for remark when contacted by BleepingComputer earlier at present.