Google has issued an update and patch to address a vulnerability that was initially believed to be a bug in Chromium, but is actually a problem with the libwebp library used by Chromium developers, according to a report by TechCrunch. The vulnerability, known as CVE-2023-4863, is a critical heap buffer overflow vulnerability in the libwebp library, which is widely used by applications for supporting the WebP image format.
The flaw in the libwebp library allows a remote attacker to perform an out of bounds memory write via a crafted HTML page. This means that any software that uses the vulnerable libwebp library is potentially affected. The attack surface of this vulnerability is likely extensive due to the widespread use of the libwebp library as a software library.
To mitigate the risk posed by this vulnerability, researchers at Huntress recommend updating any web browsers and ensuring that a solid software inventory is in place, which includes software versions. This will help to quickly identify where vulnerable versions of software exist and reduce the risk.
Chris Wysopal, founder and CTO at Veracode, acknowledges the convenience and productivity provided by open-source code but emphasizes the need for organizations to have processes in place to manage the risk of vulnerabilities in their supply chains. He suggests two crucial measures: continuously inventorying the open-source software (OSS) used in applications during the software development life cycle (SDLC) and implementing a highly automated SDLC to quickly update, test, and deploy new versions of custom applications with updated OSS packages to fix vulnerabilities.
Wysopal highlights the importance of keeping third-party libraries up to date, as many open-source library flaws can be fixed with an update. However, he notes that 79% of developers never update third-party libraries after including them in the codebase. This is despite the fact that 92% of open-source library flaws can be fixed with an update, and 69% of fixes are minor and won’t break the functionality of software applications. Wysopal advises software buyers to inquire about vendors’ processes for addressing vulnerabilities in open-source software to reduce the vulnerability window caused by a slow response to updates.
In conclusion, the recent vulnerability discovered in the libwebp library used by Chromium highlights the importance of continuously monitoring and updating software to address vulnerabilities. Organizations should prioritize updating web browsers and maintaining a comprehensive software inventory to promptly identify and mitigate risks. Additionally, implementing automated processes to manage the risk of vulnerabilities in open-source software is crucial for maintaining a secure and resilient supply chain.