LibWebP has a reported critical zero-click vulnerability potentially impacting a huge number of web-based applications. Discover the risk to your software supply chain security (SSCS) and what you can do to protect your organization.
The LibWebP open source software library for processing WebP images has a reported vulnerability. Google has raised the severity of this issue to its maximum threat level.
Apple researchers have already found cases where hackers have been able to upload malware to user systems, simply from them viewing a WebP image. This means that no amount of user training can avoid this security risk, and organizations must protect themselves against the vulnerability at code level.
Let's explore what LibWebP is, what level of open-source software risk the threat poses, and what you can do to protect yourself.
What Is LibWebP?
LibWebP is a code library used to render and display images in the WebP format. WebP is an open-source raster graphics file format created by Google and designed to be more compressed, so load faster, than other online image formats like PNG or JPEG.
Essentially, LibWebP is a CODEC resource library of tools for encoding, decoding, animating, and displaying WebP images. A large number of popular software platforms use resources from LibWebP in order to display and work with WebP images online, including Google's own Chrome browser - the most popular web browser in the world - Mozilla Firefox, and Microsoft Edge.
In almost every case that a browser or other web platform accesses and displays a WebP image, LibWebP resources are used. A vulnerability in LibWebP could, therefore, have widespread consequences.
Why Is LibWebP Vulnerable?
The vulnerability in LibWebP was discovered on September 7, 2023 by researchers at the University of Toronto's Citizen Lab, and Apple Security Engineering and Architecture (SEAR). The researchers found instances of hackers exploiting open-source code in LibWebP in order to upload malware to users.
This was particularly troubling as the LibWebP exploit was a 'zero-click' issue. This meant that the hackers could access data after users simply viewed a WebP image, without having to take any avoidable actions.
Both institutions immediately reported the vulnerability to Google. Strangely, however, Google chose to log the vulnerability on September 11 as an issue with Chrome only, despite the ramifications being far wider, and released an update to Chrome to protect against it, rather than to LibWebP.
Later, on September 25, Google relogged the LibWebP vulnerability as a new Common Vulnerabilities and Exposures identifier (CVE ID) at their highest level of risk. They then rejected the new ticket as a duplicate of the previous one, which has caused confusion among customers.
Cyber security experts, however, are warning that the highest risk rating is appropriate as the vulnerability exposes a larger variety of software than just Chrome, and are comparing the issue to the Apache Log4j 2 vulnerability that arose in 2021. Mozilla, Microsoft, Opera, and Apple browsers, a variety of Linux applications, the Electron user interface (UI) framework, Selenium browser automation tools, Wordpress, 1Password, GitHub, Twitch, and Signal, could all potentially be vulnerable.
Do You Need To Worry?
The LibWebP vulnerability has not yet become a major issue. While the initial reporters have discovered incidences of the vulnerability actually being used, this is not yet widespread.
For now, updating your web browsers to the latest version is your best course of action. However, as the situation develops, it will be important to find everywhere you're vulnerable to the LibWebP vulnerability.
As one Reddit user stated: "...finding this library embedded within second and third-tier applications is going to be a b**ch". Yet, without knowing where LibWebP has been used in your application portfolio, you will be unable to avoid the potential risk.
What Can You Do To Protect Yourself?
LibWebP is a commonly used resource that has been liberally leveraged throughout a variety of web-based applications. There are a variety of tools available, such as CycloneDX, for scanning your code to locate where open-course libraries have been used, however, running through each application can take some time.
This is why it's crucial for organizations to maintain a library of software bills of materials (SBOMs). SBOMs are essentially ingredient lists for your software, and can be generated by tools like CycloneDX, but storing all your individual SBOMs and making them searchable as a whole takes the work out of software vulnerability remediation.
With an organized approach to SBOM creation and collation, organizations will be empowered to scope and remediate their software vulnerabilities with incredible speed. This software security 'superpower' will give them a competitive advantage in the market.
Speed Up Your Response To Issues Like LibWebP
Remeditating open-source software risks like the one in LibWebP requires a prepared library of software bills of materials (SBOMs) for all of your software. That's why organizations need LeanIX VSM.
Our VSM promotes developer autonomy by aligning engineering teams with a centralized service catalog. Comprehensively understanding all your services encourages re-use, reduces duplication, and facilitates faster response to vulnerabilities.
Create complete transparency across your DevOps toolchain to drive ownership, API maturity, and software supply chain security. This is crucial to enable organizations to respond to threats like the issues with LibWebP.
