A massive security bug has just been discovered that affects WebP images used in untold numbers of websites and apps, and it could potentially let hackers break into your computer and extract data from it. In fact, Google has already seen it being actively exploited in the wild. Because of that, it’s essential that you patch your computer as soon as possible.
The discovery has been detailed by researcher Alex Ivanovs, who wrote about the bug in a blog post. Right now, it seems to affect almost all of the best web browsers, including Chrome, Firefox, Edge, and Brave. WebP images are used all over the web, meaning huge numbers of sites and apps could be affected.
The exploit relates to what’s called a heap overflow bug in a codec that interprets and displays WebP images. This overflow bug occurs when more data is sent to an app’s “heap” memory than it is designed to hold. This can allow nefarious code to replace good code, with the result that apps can behave in unexpected — and potentially malicious — ways.
In the case of WebP files, an attacker could create a WebP image that hides malware code. When you view this image, the code could be executed, allowing the attacker to gain access to your computer or steal data stored on it, which might include incredibly sensitive information like your passwords or credit card details.
Huge numbers of websites use WebP files due to their excellent balance of quality and file size, so the number of users who could be affected by this exploit is enormous. But that’s not the only thing that makes this bug so serious.
Not just websites
Because the bug affects a WebP codec, it’s also found in many apps that need a way to display WebP images. Apps affected include Telegram, 1Password, Signal, LibreOffice, the Affinity suite of design apps, and many more.
The developers of several of these apps have begun rolling out fixes, with 1Password, Chrome, Firefox, Edge, and Brave having issued updates. Apple has also published an update to macOS Ventura that supposedly fixes the bug.
Ivanovs says that the vulnerability was first reported by Apple’s Security Engineering and Architecture team, together with The Citizen Lab at The University of Toronto’s Munk School. The bug was submitted on September 6, 2023, and has the identifier CVE-2023-4863.
Due to the potential severity of this bug, you should check your apps for updates as soon as possible, and make sure to update them as quickly as you can. That’s the best way to keep your computer safe from this exploit.