NSO Group’s Pegasus spyware recently re-emerged with a new zero-click attack chain called BLASTPASS, and new CVE filings from Google indicate that the “libwebp” library used to display WEBP images has a security vulnerability that is a key part of the process.
Google’s bug report pertains to Chrome (versions prior to 116.0.5845.187), but instances of libwebp up to version 1.3.2 are similarly impacted. The library is used by a wide variety of software and applications that have the ability to display WEBP images, to include web design tools such as WordPress, game design tools and a variety of instant messaging apps.
libwebp security vulnerability part of BLASTPASS, but can be damaging in isolation
BLASTPASS has already been addressed by Apple in iOS versions newer than 16.6, but the libwebp issue can potentially be exploited on its own. The good news is that the libwebp issue is not a zero-click in and of itself, requiring victims to load a tainted image contained within a particularly crafted malicious HTML file to create the possibility of arbitrary code execution. So, at least at this time, it does not appear that the security vulnerability can be exploited simply by viewing WEBP images on social media platforms or via search engines.
It is potentially quite dangerous if it can be executed on a target’s device, however. It is also not trivial to patch, superficially similar to Log4J in that each instance of libwebp will have to be individually addressed. That means web browsers, instant messaging apps, game design and web design tools, Linux distros, CMS frameworks and an assortment of other software will all have to be individually patched to remove the security vulnerability.
The common theme for end users is that if software or apps have the ability to open or display WEBP and/or WEBM files, look out for a recent security update that should be installed ASAP.
Compression algorithm for libwebp at fault
WEBP’s selling point is improved compression without a loss in quality from what is currently expected from the more common GIF and PNG files, but it appears that the compression algorithm in libwebp is where the security vulnerability was found.
Apple’s Security Engineering and Architecture (SEAR) and the Citizen Lab at The University of Toronto’s Munk School first filed a report about the security vulnerability on September 6. A follow-up from Google initially indicated that it was an issue specific to their Chrome browser, but that has since been revised again to indicate that anything employing libwebp is likely vulnerable. This includes nearly every major web browser, nearly all of which have issued patches for the issue at this point.
Another follow-up from Google indicates that the libvpx library, which is used for WEBM video files, is similarly impacted. A patch has also been issued for that vulnerability. This will likely necessitate updates for many different video players and converters, and mobile operating system file viewers.