Mozilla Patches Firefox, Thunderbird Against Zero-Day Exploited in Attacks (bleepingcomputer.com) 15
Mozilla has released emergency security updates to fix a critical zero-day vulnerability exploited in the wild, impacting its Firefox web browser and Thunderbird email client. From a report: Tracked as CVE-2023-4863, the security flaw is caused by a heap buffer overflow in the WebP code library (libwebp), whose impact spans from crashes to arbitrary code execution. "Opening a malicious WebP image could lead to a heap buffer overflow in the content process. We are aware of this issue being exploited in other products in the wild," Mozilla said in an advisory published on Tuesday. Mozilla addressed the exploited zero-day in Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2. Even though specific details regarding the WebP flaw's exploitation in attacks remain undisclosed, this critical vulnerability is being abused in real-world scenarios.
Great, Just Great (Score:2)
Re: Great, Just Great (Score:2)
You know there is a Mozilla team PPA right?
Re: (Score:2)
You know there is a Mozilla team PPA right?
Sure do. In real life that's what I use. Just trying to point out another, among many, shortcomings of snaps. I curate my Linux box carefully, so I don't run snaps. Inviting a giant gob of who knows what to live on my machine just isn't my cup of tea.
libwebp vulnerability, lets look at git history (Score:5, Insightful)
my guess is : https://github.com/webmproject... [github.com]
Use package managers, people... updating dynamically linked libwebp is easier than updating 10 different programs, and relying on 10 vendors to be proactive...
Re: (Score:2)
If that's the bug fix above*: I'm not seeing much C++ code there, just a lot of C.
(*) I'm not sure why anybody should be messing with Huffman code at this stage in development, so maybe it is...
My gosh how is this possible (Score:1)
What are the odds this bug was intentionally put in there? Does that kind of thing ever happen?
Re: My gosh how is this possible (Score:2)
Probably by University of Minnesota.
Re:My gosh how is this possible (Score:5, Informative)
Of course it happens. But any given exploitable library is way more likely to be a bug and not some master plan.
The more likely threat is that powerful actors in cyberspace become aware of these flaws and exploit them without being noticed, as NSO group has done over and over again. NSO group is not officially a state-level actor, but given their intelligence ties they may as well be- but unlike more traditional intelligence agencies, they used their zero days as something that could be sold to sketchy governments, to gain access to journalist's phones. So the users of an exploit may be intelligence agencies, strange pseudointelligence agencies like the NSO group, or just straight up criminals looking to steal bitcoin and such.
There's no great and easy way to disable webp in firefox, but given that I don't like new image formats and try to disable them, I've been using:
https://addons.mozilla.org/en-... [mozilla.org]
However, I'm not convinced that webps still don't bleed through from time to time, and maybe this just pulls down a real image for saving purpose.
Overall webp is an annoying spec for several reasons.
1- Two entirely different specs under the hood. A png or gif is lossless, a jpg is lossy. A webp is either.
2- Extremely low compatibility with websites. Nothing wants your webp.
3- Pretty low compatibility with programs. Some things can move them around, but you're better off with a jpg, png, or gif.
4- Difficult to disable as completely as you might want it to be
5- Very low testing compared to older formats, huge risk profile even after this is fixed
Re: (Score:1)
Thank you for the reply, very informative
Re: (Score:2)
There's no great and easy way to disable webp in firefox,
What about about:config "image.webp.enabled" = false
?
Re:My gosh how is this possible (Score:5, Informative)
That 100% will make you immune to this vulnerability, but if a browser wants to send a webp (and does support non-webp formats), it will often just be like "welp here's a webp that I don't know how to load" instead of actually requesting the real image.
If you have webp enabled and go here:
https://developers.google.com/... [google.com]
You'll see jpgs on the left and webp on the right.
If you disable webp, you'll see jpgs on the left and nothing on the right. Which, if you want that, you're good to go.
Re: (Score:3)
Threre's a hell of a lot more wrong with WebP than that. There's multiple incompatible header styles for WebP depending on the version number. There are multiple data blocks in a file, and any one of them, not just the first block, can contain the image properties, so you have to scan the whole file just to determine which block has the data you want. Animated WebP files make this even more complicated, because each frame can have its own image properties, but they may not be uniform. Then, just to get
Re: (Score:2)
3- Pretty low compatibility with programs. Some things can move them around, but you're better off with a jpg, png, or gif.
I don't think your info is current. From what I see, I can use webp just fine in programs like Gimp or LibreOffice. Heck, even MS Paint can open webp.
Re: My gosh how is this possible (Score:1)
Or how likely another application already has the context to run this overflow location for no apparent reason......