I wanted to notify you about a critical cybersecurity alert. This alert is so serious that Google has stamped it with their highest severity rating: a solid 10/10.
In layman’s terms this newly discovered vulnerability (officially designated CVE-2023-5129) enables bad actors to execute unauthorized commands or access sensitive data by using maliciously crafted pages.
But the bigger issue is that this vulnerability has been found in a software library known as libwebp—and libwebpis used by all kinds of software:1Password, Signal, Safari, Mozilla Firefox, Microsoft Edge, Opera, native Android web browsers, and more. So, it is urgent that you identify and remediate this vulnerability wherever it exists in your environment.
Please contact us right away if you have any questions about this issue and/or how you can most effectively protect your business from the significant and immediate danger it presents to you and your customers. We welcome the opportunity to assess your current exposure and remediate any vulnerabilities that may be putting you at risk.
Here’s the technical gist: This flaw revolves around a heap buffer overflow in WebP, related to the Huffman coding algorithm used by libwebp for lossless compression. So malicious actors can potentially take advantage of this vulnerability to execute unauthorized commands or access sensitive data by using maliciously crafted pages.
The real problem, however, is that a lot of software uses the libwebp library. So we’re looking at a vast landscape of potential vulnerabilities that includes 1Password, Signal, Safari, Mozilla Firefox, Microsoft Edge, Opera, native Android web browsers, and more.
Remediating this vulnerability therefore requires you to pinpoint every piece of software in your environment that integrates the libwebp library.
This will be a huge undertaking. And it underscores the critical importance of maintaining a complete, accurate, and up-to-date software inventory. So we need to act fast and remediate thoroughly.
