Critical Vulnerability in libwebp Library

8 months ago AndyC

Critical Vulnerability in libwebp Library
Both Apple and Google have recently reported critical vulnerabilities in their systems—iOS and Chrome, respectively—that are ultimately the result of the same vulnerability in the libwebp library:

On Thursday,

Critical Vulnerability in libwebp Library

Both Apple and Google have recently reported critical vulnerabilities in their systems—iOS and Chrome, respectively—that are ultimately the result of the same vulnerability in the libwebp library:

On Thursday, researchers from security firm Rezillion published evidence that they said made it “highly likely” both indeed stemmed from the same bug, specifically in libwebp, the code library that apps, operating systems, and other code libraries incorporate to process WebP images.

Rather than Apple, Google, and Citizen Lab coordinating and accurately reporting the common origin of the vulnerability, they chose to use a separate CVE designation, the researchers said. The researchers concluded that “millions of different applications” would remain vulnerable until they, too, incorporated the libwebp fix. That, in turn, they said, was preventing automated systems that developers use to track known vulnerabilities in their offerings from detecting a critical vulnerability that’s under active exploitation.

Tags: , , , , ,

Sidebar photo of Bruce Schneier by Joe MacInnis.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , , , ,

More Stories

A cyberattack hit the US Healthcare giant Ascension

A cyberattack hit the US Healthcare giant Ascension

57 mins ago AndyC

Friday Squid Blogging: Squid Mating Strategies

13 hours ago AndyC

New Attack Against Self-Driving Car AI

19 hours ago AndyC
Google fixes fifth actively exploited Chrome zero-day this year

Google fixes fifth actively exploited Chrome zero-day this year

1 day ago AndyC
Russia-linked APT28 targets government Polish institutions

Russia-linked APT28 targets government Polish institutions

1 day ago AndyC
Boeing refused to pay 0 million ransomware demand from LockBit gang

Boeing refused to pay $200 million ransomware demand from LockBit gang

1 day ago AndyC

You may have missed

How to talk about climate change – and what motivates people to action: An interview with Katharine Hayhoe

56 mins ago AndyC

In it to win it! WeLiveSecurity shortlisted for European Security Blogger Awards

56 mins ago AndyC
A cyberattack hit the US Healthcare giant Ascension

A cyberattack hit the US Healthcare giant Ascension

57 mins ago AndyC

What was hot at RSAC 2024? – Week in security with Tony Anscombe

7 hours ago AndyC

RSAC 2024: AI hype overload

7 hours ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.