Google has quietly resubmitted a disclosure of a vital code-execution vulnerability affecting hundreds of particular person apps and software program frameworks after its earlier submission left readers with the mistaken impression that the risk affected solely the Chrome browser.
The vulnerability originates within the libwebp code library, which Google created in 2010 for rendering pictures in webp, a then new format that resulted in information that have been as much as 26 p.c smaller as in comparison with PNG pictures. Libwebp is included into nearly each app, working system, or different code library that renders webp pictures, most notably the Electron framework utilized in Chrome and lots of different apps that run on each desktop and cellular gadgets.
Two weeks in the past, Google issued a safety advisory for what it stated was a heap buffer overflow in WebP in Chrome. Google’s formal description, tracked as CVE-2023-4863, scoped the affected vendor as “Google” and the software program affected as “Chrome,” although any code that used libwebp was weak. Critics warned that Google’s failure to notice that hundreds of different items of code have been additionally weak would lead to pointless delays in patching the vulnerability, which permits attackers to execute malicious code when customers do nothing greater than view a booby-trapped webp picture.
Learn 5 remaining paragraphs | Feedback