The WebP zero-day (CVE-2023-4863) is a vulnerability that targets the widely used open-source library, libwebp. Successful exploitation leads to a heap overflow that works across multiple browsers, operating systems, and applications. It's likely that CVE-2023-4863 is the same vulnerability used in the BLASTPASS attacks (CVE-2023-41064), which was a way to bypass the Apple iMessage sandbox.
An attacker can exploit the CVE-2023-4863 vulnerability in libwebp by using a specially crafted WebP lossless file to write data beyond the heap boundaries. A heap-based buffer overflow is a major vulnerability, and the functionality that causes it to happen falls in line with the atypical behavior of the majority of these programs.
Moving outside of the initial buffer overflow and anticipating further actions such as hijack of execution flow, as well as shellcode/process injection techniques will be a likely way forward since the vulnerable processes do not typically perform actions, such as allocating sections of unbacked memory. We can leverage the behavioral-based and in-memory preventions in Todyl’s EDR to alert when adversaries modify the call stack to perform a full exploit chain leveraging this heap-based overflow vulnerability.
Update Chrome immediately. The newest Stable Channel release addresses the vulnerability.
Subscribe to receive the latest insights, news, and updates from Todyl.