Every so often a software vulnerability pops up and reminds us that security can’t be a set-it-and-forget-it kind of job. As technology outlets spread the news about a new vulnerability last week, the response is mostly the same as it always is: patch and update your software. There were some differences in how this vulnerability was handled inside of the industry, though, because there was something a little different about where this vulnerability could be found. Today, we’ll have a look at where these problems come from and what you can do to make sure your software is as secure as possible.
The vulnerability in question is assigned CVE-2023-4863, and it has to do with a software library called LibWebP. If that seems like a strange name, it’s because “Lib” is short for “library,” which is a collection of premade functions in any programming language. In other words, it’s a building block that developers use as they’re building a program—building blocks usually built by someone else or a community of developers. The “WebP” part is an image format that you maybe haven’t heard of. Even though it’s quite popular for web applications, it’s not popular for everyday use.
When a library is the source of a vulnerability, it makes that problem far more widespread than typical vulnerabilities. Since many code libraries can be used on different platforms (Windows, Mac, or Linux) for developing applications, a problem with a library might affect not just one program or operating system, but every program that includes that library in its code. LibWebP is probably one of the best examples of a very widespread vulnerability because of what its code is found in…
Beyond the Browser
Google first announced this vulnerability as it rolled out fixes for their own web browser, Chrome. Chrome is, itself the largest browser in the world, making up almost two-thirds of the web browsing market. Technically that number grows even higher when you remember that number three on that list is Microsoft Edge, which is based on the same open-source software (Chromium) that Chrome is based on. Since the two share a codebase, problems like the LibWebP vulnerability often affect both browsers.
LibWebP is in a whole lot more apps, though, because it is a part of the Electron framework. Electron is a way for developers to make cross-platform apps that are based on web interfaces. In other words, apps that use Electron—popular communications apps like Microsoft Teams, Zoom, Signal, and Slack—are like mini web browsers of their own. In this case, that meant that every single one of these apps were vulnerable to exploitation and needed to fix the vulnerability for their app with an update.
Strength in Numbers
The wide-ranging scope of the issue wasn’t evident at the time that Google announced the flaw. They patched it as a part of their own security updates for Chrome, not realizing that the problem was with LibWebP, which is (ironically) their own library for their own format as well. Before they could identify that there was going to be a much larger problem, other companies were able to see that there were problems with LibWebP that needed to be fixed. The internet infrastructure company Cloudflare took notice of the problem that Google patched, and found it in their own image handling software. From there, it could be shown that every app that handles WebP format images is vulnerable unless it is updated.
Security is a Process
The main takeaway for users is that regular patching is the only way to combat vulnerabilities in your software. For our customers, that means making sure that your workstations are left on—either logged out of Windows but on, or with the screen locked by holding Ctrl+Alt+Del then selecting Lock—on the night of the month that your patching is scheduled for. If a browser or other application can update itself, you should allow it to do so. Even if you’re the type of person who leaves more than ten tabs open in your browser, when you relaunch the browser, you can go to History and reopen all of those tabs, then keep plugging away where you left off.
-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team