News

WHOOPS — Incomplete disclosures by Apple and Google create huge blindspot for 0-day hunters No one mentioned that libwebp, a library found in millions of apps, was a 0-day origin.

Dan Goodin – Sep 21, 2023 10:19 pm UTC EnlargeGetty Images reader comments 68 with

Incomplete information included in recent disclosures by Apple and Google reporting critical zero-day vulnerabilities under active exploitation in their products has created a huge blindspot thats causing a large number of offerings from other developers to go unpatched, researchers said Thursday.

Two weeks ago, Apple reported that threat actors were actively exploiting a critical vulnerability in iOS so they could install espionage spyware known as Pegasus. The attacks used a zero-click method, meaning they required no interaction on the part of targets. Simply receiving a call or text on an iPhone was enough to become infected by the Pegasus, which is among the worlds most advanced pieces of known malware. Huge blindspot

Apple said the vulnerability, tracked as CVE-2023-41064, stemmed from a buffer overflow bug in ImageIO, a proprietary framework that allows applications to read and write most image file formats, which include one known as WebP. Apple credited the discovery of the zero-day to Citizen Lab, a research group at the University of Torontos Munk School that follows attacks by nation-states targeting dissidents and other at-risk groups.

Four days later, Google reported a critical vulnerability in its Chrome browser. The company said the vulnerability was whats known as a heap buffer overflow that was present in WebP. Google went on to warn that an exploit for the vulnerability existed in the wild. Google said that the vulnerability, designated as CVE-2023-4863, was reported by the Apple Security Engineering and Architecture team and Citizen Lab.

Further ReadingWith 0-days hitting Chrome, iOS, and dozens more this month, is no software safe?Speculation, including from me, quickly arose that a large number of similarities strongly suggested that the underlying bug for both vulnerabilities was the same. On Thursday, researchers from security firm Rezillion published evidence that they said made it highly likely both indeed stemmed from the same bug, specifically in libwebp, the code library that apps, operating systems, and other code libraries incorporate to process WebP images.

Rather than Apple, Google, and Citizen Lab coordinating and accurately reporting the common origin of the vulnerability, they chose to use a separate CVE designation, the researchers said. The researchers concluded that millions of different applications would remain vulnerable until they, too, incorporated the libwebp fix. That, in turn, they said, was preventing automated systems developers use to track known vulnerabilities in their offerings from detecting a critical vulnerability thats under active exploitation. Advertisement

Since the vulnerability is scoped under the overarching product containing the vulnerable dependency, the vulnerability will only be flagged by vulnerability scanners for these specific products, Rezillion researchers Ofri Ouzan and Yotam Perkal wrote. This creates a HUGE blindspot for organizations blindly relying on the output of their vulnerability scanner.

Google has further come under criticism for limiting the scope of CVE-2023-4863 to Chrome rather than in libwebp. Further, the official description describes the vulnerability as a heap buffer overflow in WebP in Google Chrome.

In an email, a Google representative wrote: Many platforms implement WebP differently. We do not have any details about how the bug impacts other products. Our focus was getting a fix out to the Chromium community and affected Chromium users as soon as possible. It is best practice for software products to track upstream libraries they depend on in order to pick up security fixes and improvements.

The representative noted that the WebP image format is mentioned in its disclosure and the official CVE page. The representative didnt explain why the official CVE and Googles disclosure did not mention the widely used libwebp library or the likelihood that other software was also likely to be vulnerable.

The Google representative didnt answer a question asking if CVE-2023-4863 and CVE-2023-41064 stemmed from the same vulnerability. Citizen Lab and Apple didnt respond to emailed questions before this story went live. Page: 1 2 Next → reader comments 68 with Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Advertisement Channel Ars Technica ← Previous story Next story → Related Stories Today on Ars

Articles You May Like

Crypto Monthly Trading Volume Drops for First Time in Seven Months to $6.58T
Flights temporarily halted at Florida airports after SpaceX loses contact with megarocket
Abortion Access Could Be Blocked In Much Of The South After Florida Gov. Ron DeSantis Signed Into Law A Six-Week Ban
Popular restaurant chain considering closing dozens of locations
Everything you need to know about Cash ISAs