A zero-day vulnerability, known as CVE-2023-5129, has been discovered in a commonly used graphics file format called WebP. A zero-day vulnerability is an exploit found in a recently released update, so recent that there aren’t patches available yet. This vulnerability was initially identified by Apple and Citizen Lab as CVE-2023-4863 related to Google Chrome. However, it has been reevaluated and is now labeled as CVE-2023-5129, related to a resource library for computers.
The vulnerability lies in the libwebp library, which is used by most major browsers like Mozilla Firefox, Apple Safari, Microsoft Edge, and Google Chrome to render WebP images.
What is affected is a small piece of a much larger resource that a lot of computer applications use. Lists online with applications affected are incomplete because we don’t know everything that was affected, but it is something basic to many applications that can display an image. We recommend everyone investigate how they are affected. If you are a client of SpireTech’s, we will be distributing updates to common applications as they roll out.
Why is this vulnerability such a big deal? First, because it affects so much. Second, what a threat actor can do with it. The vulnerability would allow an attacker to run arbitrary code or expose sensitive data on the machine running the affected software.
A hacker could potentially take control of someone’s computer or access a person’s personal information if you’re using a browser with this vulnerability. It’s important to note that while exploiting this vulnerability requires some extended user interaction, it still permits remote code execution. As fixes become available, we recommend everyone update affected applications immediately to prevent potential malicious activities.
This xkcd comic demonstrates the gravity of the situation with this zero-day vulnerability. It is something integral to modern computers, so what it affects is wide sweeping.