2023-09-21
Apple ImageIO Vulnerability and Chrome Zero Day Likely Have Same Underlying Cause
Earlier this month, Apple said that threat actors were exploiting a critical vulnerability (CVE-2023-41064) in iOS to install Pegasus spyware. That vulnerability, according to Apple, was a buffer overflow issue in ImageIO and was reported by The Citizen Lab at The University of Toronto’s Munk School. Several days later, Google reported a critical heap buffer overflow vulnerability (CVE-2023-4863) in the WebP image library in Chrome that it says was reported by Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Toronto’s Munk School. ImageIO supports WebP files. Researchers began to suspect there was a connection between the vulnerabilities. Researchers from Rezilion analyzed the vulnerabilities and concluded that “the underlying issue in the libwebp library” is likely the source of both vulnerabilities.
Editor's Note
I don't think this is an Apple specific issue, but more an illustration of how complex software supply chains make it difficult to identify related vulnerabilities. Code is often not included by just simply dynamically loading a particular library. Instead, code is statically linked or worse, copy/pasted.
Johannes Ullrich
Whether you compile from source or download the binary, issues at the source level must be considered. The tricky part is monitoring for issues with externally sourced code in your environment. The Rezilion researchers have identified many packages using the flawed libwebp package. Make sure your vulnerability scanner has the checks specific to CVE-2023-4863 or you'll get false negatives on flawed versions of libwebp in your environment. Many vendors have released packages for affected packages like chromium and Firefox, as well as for affected software and updated libwebp libraries for you to deploy post haste.
Lee Neely
The Isosceles write-up goes into a lot of detail on this. The technical content gets very deep into how the exploit is triggered.
Moses Frost
Libwebp is an open-source software library. While we’re unsure how the vulnerability was introduced into the library, pretty much every modern browser is affected. This is yet another example of a software supply chain that affects a wide swath of vendor products. As this vulnerability is being actively exploited, immediately update your browser and check for updates from other application vendors that also might be affected.