- CHROMIUM BASED EDGE FOR MAC
- CHROMIUM BASED EDGE UPDATE
- CHROMIUM BASED EDGE UPGRADE
- CHROMIUM BASED EDGE FULL
CHROMIUM BASED EDGE UPDATE
Update (): Yet another update! This time, it's because Google has finally issued a separate CVE for the actual libwebp library, and they've tagged it as CVE-2023-5129. You can expect an update to be released in October for that.īut don't panic, though, because as Ben explains in his report - as severe as the vulnerability is (Red Hat has given it a 9.6 score), your average off-the-sidewalk hacker will have a hard time putting the pieces together. I also learned that Puppeteer might be affected, and Ben has now confirmed that Android is 100% affected by this. Over the last week, I have seen a staggering number of applications and software push updates. Much like myself, Ben also thinks that this 0-day is directly related to the BLASTPASS report from Citizen Lab. Update (): Alright, here we are, one week since the last update, and I got another one to add here because it is pretty significant.īen Hawkes, who used to work for Google as the manager of Project Zero, has done an entire write-up on his thoughts on this CVE, as well as a real-world example (Proof of Concept), read it here: The WebP 0day. Subsequently, Apple made an update (September 7) to their ImageIO library and called it a "buffer overflow" (I linked it further down below) but Apple never assigned it a CVE, instead they disclosed it with Google first who then issued the fix (September 11). If you're interested, you can read this report from Citizen Lab (September 7) on a zero-click exploit they found in the wild. The way that CVE publishing works is that each issue (in this case a 0day in WebP Codec) is listed individually for each software, and the same CVE is assigned independently when the next software is found to have this bug. I want to address this also because I don't want to leave an impression that Mitre made a mistake in assigning this CVE, what they should have done is make it clearer that the issue was broader than just Chromium. How come Mitre marked this as Chrome-only?
CHROMIUM BASED EDGE FULL
But I don't know the full scope of this because there isn't a catalog of apps to browse to see who is using the WebP Codec or who isn't. I also know that software like Obsidian is going to bump their Electron version to address the bug. I know that Telegram Desktop made an update and I have seen Ubuntu, Debian, SUSE and other Linux platforms also actively updating their libwebp versions. Update (): Okay, so, I thought I would give an update as I have been getting a lot of emails about this, and I can't spend so much time trying to answer each one individually.
CHROMIUM BASED EDGE UPGRADE
1Password (like many others) is an application built with Electron, and until all these apps upgrade to the latest version - they are considered vulnerable based on the severity of the bug.
CHROMIUM BASED EDGE FOR MAC
Update (): 1Password for Mac have released an update to address the issue. 👉 Who uses libwebp? There are a lot of applications that use libwebp to render WebP images, I already mentioned a few of them, but some of the others that I know include: Affinity (the design software), Gimp, Inkscape, LibreOffice, Telegram, Thunderbird (now patched), ffmpeg, and many, many Android applications as well as cross-platform apps built with Flutter. CVE-2023-4863 was falsely marked as Chrome-only by Mitre and other organizations that track CVE's and 100% of media reported this issue as "Chrome only", when it's not. Also, software like Honeyview (from Bandisoft) released an update to fix the issue. Electron patched the vulnerability yesterday. This includes Electron-based applications, for example - Signal. ⚠️ Important: Let me make it perfectly clear that this vulnerability doesn't just affect web browsers, it affects any software that uses the libwebp library. If your browser of choice is using Chromium then expect an update to already be rolled out or will be done shortly. Update (): So far the Web Browsers that have confirmed a fix and released an update include: Google Chrome, Mozilla Firefox, Brave, Microsoft Edge, and Tor Browser.
0 kommentar(er)
