Zero-Day Security Vulnerability Detected in Chrome, Firefox and Other Browsers

Updates are now available to fix a vulnerability in Chrome that would allow attackers to execute malicious code.

Close-up of the screen with depth of field and focus on the padlock.
Image: ktsdesign/Adobe Stock

It’s time to update Google Chrome, Firefox or Thunderbird from Mozilla, Microsoft Edge, Brave browser or Tor browser; web development news site StackDiary reported a zero-day vulnerability in all six browsers that could allow malicious actors to execute malicious code.

Jump to:

The vulnerability comes from the WebP player

Users of affected browsers should update to the latest version to ensure that the zero-day vulnerability is patched on their machines. The problem does not come from browsers: the vulnerability comes from the WebP codec, discovered by StackDiary.

Other affected apps include:

  • Affinity.
  • Jester.
  • Inkscape.
  • LibreOffice.
  • Telegram.
  • Many Android apps.
  • Cross-platform apps built with Flutter.

Applications built on Electron may also be affected; Electron released a patch.

Many applications use the WebP codec and libwebp library to render WebP images, StackDiary noted.

SEE: Check Point Software Finds Cybersecurity Attacks Are Coming From Both the New School (AI) and the Old School (Mysteriously Abandoned USB Drive). (TechRepublic)

In more detail, a heap buffer overflow in WebP allowed attackers to perform an out-of-bounds memory write, NIST said. A heap buffer overflow allows attackers to insert malicious code by “overflowing” the amount of data in a program, StackDiary explained. Since this heap buffer overflow targets the codec (essentially a translator that allows a computer to render WebP images), the attacker could create an image with malicious code embedded in it. From there, they could steal data or infect the computer with malware.

The vulnerability was first detected by Apple’s security engineering and architecture team and the University of Toronto’s Citizen Lab on September 6, StackDiary reported.

What steps should users take?

Google, Mozilla, Brave, Microsoft and Tor have released security patches for this vulnerability. People running these apps should update to the latest version. For other applications, this is a permanent vulnerability for which there may not be patches; NIST noted that the vulnerability has not yet been fully analyzed.

NIST has classified the vulnerability as serious and recommends that users stop using applications for which a patch is not yet available. Review your application individually if necessary.

Source link

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button