Researchers recently discovered a serious vulnerability in software that is found on millions of computers, tablets, and phones. This software, known as libwebp, is guaranteed to be on your devices. It’s one more vulnerability on the long list of vulnerabilities that could exist on your devices.
The vulnerability came to light when it allowed hackers to infect a fully patched iPhone running iOS 16.6 belonging to a Washington DC-based organization with Pegasus, sophisticated spyware developed by the Israeli cyber-arms company NSO Group.
Libwebp is a software library used for encoding and decoding WebP images. In the simplest of terms, libwebp delivers a new way to compress images that can make them smaller without losing quality. This is useful for saving space on your computer or for sending images over the internet. Libwebp is used by a wide variety of applications, including web browsers, image editors, video editors, and game engines. It is also used by many popular websites.
Libwebp is found in the world’s most prolific software applications, to include some applications that are certainly on your devices, like:
- Web browsers: Chrome, Firefox, Edge, Safari, Opera, Brave, Vivaldi, Chromium
- Image editors: GIMP, Inkscape, Photoshop, Affinity Photo, Pixelmator Pro
- Video editors: DaVinci Resolve, Adobe Premiere Pro, Final Cut Pro, HitFilm Express
- Graphic design software: Adobe Illustrator, Sketch, Affinity Designer, CorelDRAW
- Office suites: LibreOffice, OpenOffice, Microsoft Office
- Productivity software: Slack, Discord, Telegram, WhatsApp
- Game engines: Unity, Unreal Engine, Godot
- Many other applications, including cross-platform apps built with Flutter, an open-source UI software development kit created by Google. Flutter is used to develop cross platform applications from a single codebase for Android, iOS, Linux, macOS, and Windows based devices.
Unfortunately, the libwebp library contains a serious security flaw that can be exploited to execute arbitrary code on your devices. This could allow an attacker to take control of your devices, install malware, and steal or ransom your sensitive data.
The vulnerability is caused by an integer overflow in the libwebp library. An integer overflow is a type of programming error that occurs when a mathematical operation results in a value that is too large to be stored in the computer’s memory. This can cause the program to crash or behave unexpectedly. In the case of the libwebp vulnerability, the integer overflow can be exploited to cause the libwebp library to execute arbitrary code.
I don’t want to get too far off into the technical weeds, it suffices to say that if ever there was a moment in computing history where it was important to update all your software and patch vulnerabilities, this is that moment. In addition to updating your stuff, deploy a defense in depth strategy.
A defense in depth strategy is a cybersecurity approach that uses multiple layers of security to protect your devices and data from attack. This means that even if one layer of security is compromised, there are still other layers in place to protect you.
Here is a simple analogy to help you understand defense in depth:
Imagine you are building a house to protect yourself from burglars. You could build a sturdy door and lock it, but that wouldn’t be enough to stop a determined burglar. So you might also install windows with locks, a security system, and motion sensor lights.
This is a defense in depth strategy. Because you have multiple layers of security in place, it is much more difficult for a burglar to break into your house.
The same principle can be applied to cybersecurity. By using multiple layers of security, you can make it much more difficult for attackers to compromise your computer and data.
If you are one of our managed service customers, we deploy a defense in depth strategy for you: we are updating your stuff and we are hunting for hackers that may utilize zero day vulnerabilities. If you aren’t one of our managed services customers, download our cybersecurity essentials playbook and learn how to protect your stuff. Of course, if you need help hardening your information technology, we are ready to help – get in touch….