Recently, both Apple and Google patched zero-day vulnerabilities in their software. What was not clear from their disclosures, however, was that both were caused by the exact same bug in the WebP image format. Researchers at Rezilion argue that the tech companies’ brevity surrounding these vulnerabilities creates a blind spot in the security field.
In early September, The Citizen Lab detected suspicious activity on an iPhone of a user working for a civil rights organization in Washington DC. The hackers had exploited CVE-2023-41061 and CVE-2023-41064 and installed spyware on the victim’s phone, bypassing layers of protection within iMessage. The company concluded the fault lay with ImageIO, Apple’s framework for identifying images. It quickly fixed the issue with an update for iOS, macOS and watchOS without going into detail about which image format had been exploited.
The WebP format (originally designed by Google) did get a mention in vulnerability CVE-2023-4863, which was disclosed in mid-September. Hackers were able to exploit the zero-day to perform remote code execution, such as installing unwanted software. The browsers Chrome, Firefox, Edge, Brave and Vivaldi have been updated to ward off the threat, even though Google initially stated that only Chrome itself (not Chromium-based browsers) was vulnerable.
Several security experts questioned whether the two vulnerabilities may have had the same cause. Will Dormann, for example, argued that the same software flaw should not be identified with different CVE codes. After all, such a code should ensure that it is clear which vulnerability is involved and where it occurs. Both CVE-2023-41064 and CVE-2023-4863 would occur “in the wild” when they should have been indistinguishable from each other.
Specifically, both cases involved a heap buffer overflow in the libwebp package of the WebP codec. It’s used to encode or decode images. The amount of data processed by the program is variable. It is possible to insert code beyond the allowed memory buffer, allowing for remote code execution. The libwebp package is found billions of times in Rust, Python, Node.js and WordPress, among others.
The Citizen Lab at the University of Toronto’s Munk School notified Apple and Google that it had discovered the vulnerability. Researchers at Rezilion managed to find this out by comparing Apple’s security advisory documentation and an update notice from Google. After The Citizen Lab had informed them, things went awry inside both tech companies. Both found too narrow an explanation of the vulnerabilities as Google reported that only Chrome was affected, while Apple linked it to its own ImageIO framework.
Rezilion warns of “false negatives”: after all, those who scan for CVE-2023-41064 may not find anything. This while an end user may still be vulnerable to the WebP format flaw via CVE-2023-4863. According to Rezilion, by making such an error in their vulnerability reporting, the tech giants are creating a “huge blind spot” for organizations that rely solely on the outcome of a security scanner.
Because reporting of such cyber dangers is often succinct, CVE codes should ensure that everyone knows which vulnerability specifically is involved. For example, it was hard to discern that many Linux-based operating systems could also be affected by the WebP exploit if not updated. Meanwhile, those available include Debian, Ubuntu, RedHat and Oracle Linux. Amazon Linux reportedly has not yet released an update.