[RndTbl] CVE-2023-41064
Gilbert Detillieux
Gilbert.Detillieux at umanitoba.ca
Thu Oct 5 11:16:41 CDT 2023
More background info...
https://securityboulevard.com/2023/09/patch-everything-widely-used-webp-code-has-critical-bug/
I didn't realize WebP had been around since 2010. Yikes, that's a long
time for a vulnerability to be hanging around, patiently waiting to be
adopted by us trusting souls!
And, coincidentally...
https://www.malwarebytes.com/blog/news/2023/09/pegasus-spyware-and-how-it-exploited-a-webp-vulnerability
... the company behind Pegasus has also been around since 2010. Not
going into conspiracy theory, but it does mean there has been a long
window of vulnerability to be potentially exploited here, by very
motivated (and well-funded) bad actors.
Gilbert
On 2023-10-05 10:48 a.m., Gilbert Detillieux wrote:
> On 2023-10-04 8:16 p.m., Trevor Cordes wrote:
>> Fun.
>>
>> https://www.tenable.com/blog/cve-2023-41064-cve-2023-4863-cve-2023-5129-faq-imageio-webp-zero-days
>>
>> If you have an Apple device, it must be updated. If it's no longer
>> supported/updated, throw it away.
>
> See also...
>
> https://www.bleepingcomputer.com/news/security/google-assigns-new-maximum-rated-cve-to-libwebp-bug-exploited-in-attacks/
> https://www.bleepingcomputer.com/news/security/apple-backports-blastpass-zero-day-fix-to-older-iphones/
> ...
--
Gilbert Detillieux E-mail: Gilbert.Detillieux at umanitoba.ca
Computer Science Web: http://www.cs.umanitoba.ca/~gedetil/
University of Manitoba Phone: 204-474-8161
Winnipeg MB CANADA R3T 2N2
For best CS dept. service, contact <cs-support at lists.umanitoba.ca>.
More information about the Roundtable
mailing list