Threat Advisory: Critical WebP Zero-Day

Aaron Goldstein
Brent Murphy
September 28, 2023

Quick facts

  • The WebP zero-day (CVE-2023-4863) vulnerability affects many major browsers including Chrome, as well as OS and apps.
  • The vulnerability targets the libwebp library and uses heap buffer overflows to write data in restricted areas of a system’s memory.
  • Update Chrome immediately to address this critical vulnerability.

Summary

The WebP zero-day (CVE-2023-4863) is a vulnerability that targets the widely used open-source library, libwebp. Successful exploitation leads to a heap overflow that works across multiple browsers, operating systems, and applications. It's likely that CVE-2023-4863 is the same vulnerability used in the BLASTPASS attacks (CVE-2023-41064), which was a way to bypass the Apple iMessage sandbox.

How it works

An attacker can exploit the CVE-2023-4863 vulnerability in libwebp by using a specially crafted WebP lossless file to write data beyond the heap boundaries. A heap-based buffer overflow is a major vulnerability, and the functionality that causes it to happen falls in line with the atypical behavior of the majority of these programs.  

Moving outside of the initial buffer overflow and anticipating further actions such as hijack of execution flow, as well as shellcode/process injection techniques will be a likely way forward since the vulnerable processes do not typically perform actions, such as allocating sections of unbacked memory. We can leverage the behavioral-based and in-memory preventions in Todyl’s EDR to alert when adversaries modify the call stack to perform a full exploit chain leveraging this heap-based overflow vulnerability.

What makes this difficult to detect?

  • The scope is very widespread across many products.
  • Normal behavior for these processes to parse/handle image formats, so identifying purposefully malicious ones can be difficult.
  • To successfully trigger the Heap Overflow perfectly sized tables need to be generated in the correct order. While this may be actionable, identifying singular tables that are generated that match the specific length will cause a high number of false positives since it requires a chain of tables to execute.

How to address

Update Chrome immediately. The newest Stable Channel release addresses the vulnerability.

Timeline

  • September 6: Apple Security Engineering and Architecture (SEAR) and The Citizen Lab notifies Google about a critical vulnerability in the WebP library (libwebp)
  • September 7: Apple assigns CVE-2023-41064 (ImageIO)
  • September 11: Google assigns CVE-2023-4863  
  • September 25: Google assigns CVE-2023-5129 to expand impact of CVE-2023-4863
  • September 27: Google rejects CVE-2023-5129, marking it as a duplicate of CVE-2023-4863

References

Stay up to date

Subscribe to receive the latest insights, news, and updates from Todyl.

Additional reading

Why I Joined Todyl: Spotlight on David Dewey
How Todyl addresses the "Pandemic 11"
Understanding AMSI bypass techniques

Todyl updates

Sign-up to get the latest from Todyl sent straight to your inbox.