Just days after Apple released iOS 16.6.1 to secure iPhones and iPads against a critical zero-day exploit involving ImageIO, Google has rushed out an emergency security update for Chrome users for a zero-day threat impacting the WebP image format. The coincidences run deeper than both addressing critical malicious image creation exploits, though.
09/14 update below. This article was originally published on September 12.
Are CVE-2023-4863, Blastpass, iOS, And Chrome Security Updates Connected?
Apple and Google remain tight-lipped when it comes to releasing technical details concerning such zero-days to prevent further exploits while users are still updating devices. However, as my colleague Kate O’Flaherty reported, CVE-2023-41064 is a vulnerability that “could allow an adversary to execute code via a maliciously crafted images,” which was used in an attack called BLASTPASS and “leveraged PassKit attachments containing malicious images” according to Citizen Lab.
The Chrome zero-day, CVE-2023-4863, is a heap buffer overflow issue in the WebP image format. Although there is no confirmation as of yet, an exploit could potentially enable a zero-click attack when visiting a website containing a malicious image. The BLASTPASS exploit was also a zero-click attack, capable of compromising iPhones without any interaction, according to the Citizen Lab report.
Coincidence? Possibly, but it has to be noted that the Citizen Lab report was dated September 7, and the Chrome zero-day was reported to Google on September 6. By the Apple Security Engineering and Architecture team and Citizen Lab, no less.
I have approached Apple, Citizen Lab, and Google for a statement and will update this article if any is forthcoming.
09/14 update: Developer and blogger Alex Ivanovs has confirmed that, as well as web browsers, “any software that uses the libwebp library” is affected by this vulnerability, including Electron-based applications such as 1Password and Signal.
Ivanovs explains that the problem sits with the BuildHuffman Table function, introduced in 2014.
Other web browsers that have been updated to patch the zero-day WebP vulnerability include:
Brave, which has been updated to 116.0.5845.188
Edge, which has been updated to 116.0.1938.81 (116.1938.79 for iOS)
Firefox, which has been updated to 117.0.1
Opera, which has been updated to 102.0.4880.46
Vivaldi, which has been updated to 6.2.3105.47
There is still no confirmation that the WebP vulnerability is connected to the BLASTPASS exploit chain comprising two zero-days that could lead to iPhones getting infected by Pegasus spyware. Apple has, however, now released further security updates for earlier versions of iOS as well as iPadOS and macOS. Patches are now available for iOS 15.7.9, iPadOS 15.7.9, macOS Monterey 12.6.9 and macOS Big Sur 11.7.9. This means older iPhones, such as the iPhone 6 and 7, are now protected despite iOS 15 being out of support.
Update Your Chrome Browser Now
Meanwhile, Google has stated that Chrome updates to 116.0.5845.187 for Mac and Linux, and 116.0.5845.187/188 for Windows, will roll out across the coming days. Google also says that it is “aware that an exploit for CVE-2023-4863 exists in the wild.”
As such, and given that there appears to be a potential connection between the BLASTPASS spyware campaign and this emergency Chrome security update, all Chrome users are advised to update as soon as possible. Security updates are automatic, but it’s always best to check on your device to be sure that the fix has not only been downloaded but also activated. Head for the Help|About option to kickstart the update check process. Once a security update has been downloaded and installed, you will need to restart your browser to activate protection from this zero-day exploit.
Although it is not yet known if other Chromium-powered browsers such as Brave, Edge, Opera, and Vivaldi are impacted by this vulnerability, it would seem prudent to check these for security updates as well.
This post was created with our nice and easy submission form. Create your post!