Emergency Chrome update fixes critical WebP vulnerability

Slightly over 24 hours ago, Google rolled out an update for Chrome, specifically addressing the critical vulnerability CVE-2023-4863 in the WebP image format. This vulnerability had been reported by experts from the Citizen Lab at the University of Toronto. The update applies to both the stable and extended branches, with versions 116.0.5845.187 available for Mac and Linux, and 116.0.5845.187/.188 for Windows. Notably, cybercriminals have already exploited this vulnerability.

CVE-2023-4863 is a buffer overflow vulnerability found in WebP, an image format developed by Google. This format, widely used for high-quality image compression on the internet, unfortunately became the target of attackers who discovered and took advantage of this vulnerability in an open format.

The attack is rooted in the technique of buffer overflow, which can lead to the execution of malicious code. A similar issue related to WebP had recently been addressed by Apple engineers. The exploit discovered by Citizen Lab has been named BLASTPASS. What makes it particularly concerning is that it doesn't require any user interaction for Pegasus spyware to be downloaded after encountering a malicious image.

WebP is supported by many Chromium-based browsers like Edge, Opera, and Vivaldi, as well as various image editing programs. Google, in an effort to safeguard users, has chosen not to disclose the full details of the vulnerability until a substantial portion of Chrome users have updated their browsers. If it's determined that the vulnerability also affects the WebP library used in other projects, information about it will be kept under wraps for a certain period.

You'll find Google's official word here.

Support us

Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options: