Google has assigned a new CVE identifier to a serious security vulnerability in the libwebp image library used for displaying images in the format WebPwhich has been the subject of active attacks in the external environment.

It is an open source library developed by Google for manipulating and viewing images in the format WebP. WebP is a modern and highly efficient image format that offers good image quality with smaller file sizes than other image formats such as JPEG and PNG.

libwebp provides developers with the tools necessary to encode, decode and manipulate WebP format images within their software applications.

It is widely used in various web applications and software to improve image performance and reduce web page loading times.

Problems recently encountered in this library

Identified as CVE-2023-5129, the issue was rated with the maximum severity score of 10.0 in the CVSS rating system. This is a problem rooted in the algorithm Huffman coding.

With a specially designed lossless WebP file, libwebp could write data outside the bounds of theheap. The ReadHuffmanCodes() function allocates the HuffmanCode buffer with a size from an array of precomputed sizes: kTableSize. The color_cache_bits value defines which size to use. The kTableSize array only takes into account the size for 8-bit first-level table lookups, but not for second-level table lookups. libwebp allows codes up to 15 bits (MAX_ALLOWED_CODE_LENGTH). When BuildHuffmanTable() tries to fill second-level tables, it may write data out of bounds. Writing outside the bounds of the undersized array occurs in ReplicateValue.

The development comes after Apple, Google and Mozilla released fixes to contain a bug, reported separately as CVE-2023-41064 and CVE-2023-4863, which could lead to arbitrary code execution when processing an image specially created. Both issues appear to address the same underlying problem in the library.

According to Citizen Lab, CVE-2023-41064 is said to have been combined with 2023-41061 as part of an iMessage zero-click exploit chain called BLASTPASS to distribute a mercenary spyware known as Pegasus. At the moment, further technical details are unknown.

However, the decision to “incorrectly assign” CVE-2023-4863 as a vulnerability in Google Chrome highlighted the fact that it impacts virtually every other application that relies on the libwebp library to process WebP images, indicating that it has a broader impact than previously thought.

An analysis by Rezillion last week revealed a list of broad applications, code libraries, frameworks and operating systems that are vulnerable to CVE-2023-4863.

“This package stands out for its efficiency, surpassing JPEG and PNG in terms of size and speed,” has declared the company. “As a result, numerous software, applications and packages have adopted this library or packages that depend on libwebp.”

The company then added: “The massive spread of libwebp significantly expands the attack surface, raising serious concerns for both users and organizations.”

The disclosure comes as Google has expanded fixes for CVE-2023-4863 for to include the Stable channel for ChromeOS and ChromeOS Flex with the release of version 15572.50.0 (browser version 117.0.5938.115).

It also follows new details published by Google Project Zero regarding the use of CVE-2023-0266 And CVE-2023-26083 in an external environment in December 2022 by commercial spyware vendors to target Samsung Android devices in the United Arab Emirates and gain read/write access to the kernel.

These issues are believed to have been used in conjunction with three other vulnerabilities, CVE-2022-4262, CVE-2022-3038, CVE-2022-22706, by a customer or partner of a Spanish security company. spyware known as Variston IT.

“Of particular note is the fact that this attacker created an exploit chain using multiple bugs from the kernel’s GPU drivers“said security researcher Seth Jenkins. “These third-party Android drivers have varying code qualities and maintenance regularities, which presents a significant opportunity for attackers.”

Regarding the issue of “useless drivers”, it has already been discussed previously in the Windows environment, but it also applies to other operating systems.