Critical Vulnerability in libwebp Library

Both Apple and Google have recently reported critical vulnerabilities in their systems—iOS and Chrome, respectively—that are ultimately the result of the same vulnerability in the libwebp library:

On Thursday, researchers from security firm Rezillion published evidence that they said made it “highly likely” both indeed stemmed from the same bug, specifically in libwebp, the code library that apps, operating systems, and other code libraries incorporate to process WebP images.

Rather than Apple, Google, and Citizen Lab coordinating and accurately reporting the common origin of the vulnerability, they chose to use a separate CVE designation, the researchers said. The researchers concluded that “millions of different applications” would remain vulnerable until they, too, incorporated the libwebp fix. That, in turn, they said, was preventing automated systems that developers use to track known vulnerabilities in their offerings from detecting a critical vulnerability that’s under active exploitation.

EDITED TO ADD (10/12): Google quietly corrected their disclosure.

Tags: , , , , ,

Posted on September 27, 2023 at 7:08 AM23 Comments

Comments

Anonymous September 27, 2023 8:51 AM

Responsible disclosure would require Apple and Google to report the vuln to the maintainers of libwebp to give them a chance to fix and release a patch before publicly highlighting the vuln’s origin.

How are Google and Apple to co-ordinate without publishing the location of the vuln.

To my mind, Rezillion are the ones putting all the other app users at risk, when they could have quietly notified libwebp rather than grandstanding.

Am I missing something here?

Nick Alcock September 27, 2023 11:08 AM

The vuln was fixed in libwebp on September 7th, by Vincent Rabaud @ google.com, right before the first set of coordinated browser releases. So I’d say that bit was done 🙂 of course doing that makes it instantly obvious to anyone trolling libwebp git for security holes, but that’s the cost of openness… and the reason for the embargo while the browsers built.

(It doesn’t require a great deal of “evidence”, really. It was dead obvious from the change in Chromium DEPS at the time of the first release: the git log for that file quotes the libwebp commit in enough detail to be clear that it’s an OOB write and the corresponding libwebp commit. I found the commit in question in minutes armed with no more info than the knowledge that Chromium had just released a security fix. Deeply hidden vuln fix this was not: Chromium advertised it well enough for people trying to fix vulns in other apps to be able to figure out that libwebp needed upgrading pronto. Rezillion is just trying to blow their own trumpet here.)

mark September 27, 2023 12:50 PM

Question 1: what about the Linux libraries?

Note: 30% smaller than .png? Why would you want to use .png, rather than .gif or jpg?

Winter September 27, 2023 1:16 PM

@mark

Why would you want to use .png, rather than .gif or jpg?

Obvious. .gif is patented and .jpg is a lossy compression. .png is neither.

Ahmad Phelps September 27, 2023 1:22 PM

Responsible disclosure would require … Am I missing something here?

You’re missing that “responsible”, in this sense, is purely subjective. Some people try to push their particular subjective view as the one true definition of “responsible”; others, including I, disagree (I think it’s almost always irresponsible to withhold information about security flaws from the users, and I recognize that’s a matter of opinion rather than fact).

People are always at risk from buggy code, whether or not anybody knows about it. The people who discover and/or publish this aren’t creating said risk any more than the people who pointed out the Tacoma Narrows Bridge was rocking violently.

Talking about which party should be blamed here isn’t useful anyway. It should probably analyzed in the way we analyze transportation incidents (see any NTSB report, for example) or structural failures (NCSTAR 1 is a good read): what went wrong, and what can we do to prevent such things in the future?

lurker September 27, 2023 1:54 PM

This vuln. seems to have been fixed September 12, 2023, in Firefox 117.0.1 and a number of other apps that use Mozilla’s code. Attributed as CVE-2023-4863, reported by Apple and CitizenLab.

But,but, the Apple/CitizenLab one should be CVE-2023-41064 ?? This why I usually give up on chasing the details …

Mike D. September 27, 2023 7:39 PM

@Winter @Nobby

GIF is still limited to a 256 color table and archaic compression. PNG is 24 bit and uses more modern compression.

I have no idea what hidden patent encumbrance WebP has.

I also get an allergic reaction from the fact that WebP has as much to do with HTTP et. al. as JavaScript had to do with Java. But that’s just me.

Mike D. September 27, 2023 7:42 PM

@Sofa Close.

GIF allows you to designate one of the 256 colors as transparent. PNG gives you a full 8-bit alpha channel.

Winter September 28, 2023 1:27 AM

@Nobby

gif is patented
It isn’t? Patents expired long ago?

Are you sure no one has gotten a new patent on, eg, using .gif on a smartphone? Or patented some minor variant of gif?

Who wants to employ a patent lawyer to make sure?

Winter September 28, 2023 2:06 AM

Continued…

@nobby

gif is patented
It isn’t? Patents expired long ago?

So, you are certainly right and the original reason to develop PNG has gone with the original patent. However, the US patent situation is such a mess with patent trolls, patent thickets, and repatenting small variations that even an expired patent can still be a problem.

If the financial incentives are right, such a situation can be resolved. But no website or app developer wants to spend even a minute to think about it if there is no strong reason to use .gif.

Also, PNG code is under active maintenance. Gif, I would not bet on it.

Winter September 28, 2023 3:48 AM

@lurker

gif also gives us that other terror of the web: the ani-gif

It is not a bug, it is a feature!

Beulah Russell September 28, 2023 11:11 AM

Winter, to the extent the U.S. patent situation is a mess, I don’t see PNG helping at all with that. If someone can patent-bullshit you about a 36-year-old format, why not a 28-year-old format?

As for WebP, it’s derived from VP8’s intra-frame coding. VP8 was released in 2008, and an irrevocable patent license was given to the public in 2010; and it was based on older technology, so perhaps the patents are older. The MPEG people were attacking VP8 around 2011–2013, but those attacks seem to have died off after at least one court ruled against them.

Winter September 28, 2023 11:40 AM

@Beulah

someone can patent-bullshit you about a 36-year-old format, why not a 28-year-old format?

It is also about community spirit.

PNG was specifically designed to avoid patent attacks and all software is written open source. That “feels” more safe than a formerly patented format that has been actively used to beat down open source implementations.

There are people and organizations invested in defending PNG. Not so for gif. No one will stand up for you if you get in IP trouble because of gif.

Clive Robinson September 29, 2023 1:34 PM

@ Winter,

Re : Getting a lawyer…

“However, the US patent situation is such a mess with patent trolls, patent thickets, and repatenting small variations that even an expired patent can still be a problem.”

You forgot the other issue of importance…

If you don’t get a lawyer and don’t access patents in anyway, then you can plead that you thought it was “open knowledge” as you got the idea in part from a book or magazine. Thus push the “prior knowledge” aspect.

If however you engage a lawyer they are first going to cover their ass not yours, and tell you about a whole file-cabinet full of patents your idea might infringe and advise you to read them.

This would be a very very bad idea to do, because then it becomes knowingly infringing that carries a penalties multiplier of –if memory serves– three times as much as well as scotching any “prior knowledge” argument.

You only have to look up US “submarine patents” that supposedly stopped well over a quater of a century ago (June 1995), but were still being argued, to know that the whole US patent system was a rigged game,

https://www.archerlaw.com/two-recent-decisions-may-limit-the-effectiveness-of-submarine-patents/

And in many ways still is a rigged game.

So much so that major Silicon Valley Corps have spent probably hundreds of millions on lobbying other patent systems to be like the US system “or better” from their point of view. The result is the European Patent system is in a dire mess…

That was seen coming well over a decade ago,

https://www.theguardian.com/technology/2011/aug/22/european-unitary-patent-software-warning

(the “unitary patent” systen is still not quite with us due to delays at the end of last year).

Winter September 29, 2023 2:47 PM

@Clive

If you don’t get a lawyer and don’t access patents in anyway, then you can plead that you thought it was “open knowledge” as you got the idea in part from a book or magazine. Thus push the “prior knowledge” aspect.

I would not hold your breath about the use of “prior knowledge”.

Look up the Neem tree patent. Having been described 2000 years ago in holy scriptures, the Veda’s was not considered “prior knowledge”. This knowledge was widely used in India, which was also not considered “prior knowledge”.

Or look up the “Mexican yellow beans patent”.

The summary is: The only thing that can stop a patent suit is more lawyers and deeper pockets. The best advice is to avoid doing business in the USA.

Clive Robinson September 29, 2023 5:03 PM

@ Winter,

“Look up the Neem tree patent.”

Well atleast that was won and the EPO patent was struck down.

In the US you see the same sort of nonsense with the FDA and traditional medicines such as colchacine…

But also look into US courts decisions. A patent obtained in the US by a UK company for Liquid Crystals was challenged and thrown out in it’s entirety because the court arbitarily decided it was too broad…

Many will tell you that US Courts side with US Corps, and the figures they quote tends to support that view. Hence your point of,

“The best advice is to avoid doing business in the USA.”

Only it appears the US will go to war with countries they think are snubbing them in some way, or not singing off of the US Song Sheet. Thus kidnapping peoples children was “Whitehouse Policy” quite recently. And it dragged on even though the numpty that orchistrated it go sacked.

Winter September 30, 2023 4:47 AM

@Clive

Many will tell you that US Courts side with US Corps, and the figures they quote tends to support that view. Hence your point of,

The US uses patents as a global tax on doing business. If you do business in the US, you will have to pay patent license fees to your US competitors for using your own inventions.

The Freedom to Innovate: A Privilege or a Right?
‘https://www.ncbi.nlm.nih.gov/pmc/articles/PMC1913731/

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.