The incomplete information included in recent disclosures by Apple and Google reporting critical zero-day vulnerabilities under active exploitation of their products has created a “huge blindspot” that has caused many offerings from other developers that have not been patched, researchers said Thursday.
Two weeks ago, Apple reported that threat actors were actively exploiting a critical vulnerability in iOS so they could install the spy spyware known as Pegasus. The attacks used a zero-click method, meaning they required no interaction on the part of the targets. Just receiving a call or text on an iPhone is enough to be infected with Pegasus, which is one of the most advanced pieces of malware known in the world.
Apple said the vulnerability, tracked as CVE-2023-41064, stems from a buffer overflow bug in ImageIO, a proprietary framework that allows applications to read and write most image file formats, including in one known as WebP. Apple credits the zero-day discovery to the Citizen Lab, a research group at the University of Toronto’s Munk School that tracks nation-state attacks targeting dissidents and other high-risk groups. .
Four days ago, Google reported a critical vulnerability in its Chrome browser. The company says the vulnerability is known as a heap buffer overflow in WebP. Google warns that an exploit for the vulnerability exists in the wild. Google said the vulnerability, designated CVE-2023-4863, was reported by the Apple Security Engineering and Architecture team and Citizen Lab.
Speculation, including from me, quickly emerged that many similarities strongly suggested that the underlying bug for both vulnerabilities was the same. On Thursday, researchers from security firm Rezillion published evidence they said made it “highly possible” that both stemmed from the same bug, specifically in libwebp, the code library included in the apps, operating system, and other code libraries to process WebP images.
Instead of Apple, Google, and Citizen Lab coordinating and accurately reporting the common source of the vulnerability, they chose to use a separate CVE name, the researchers said. The researchers concluded that “millions of different applications” would remain vulnerable until they, too, included a fix for libwebp. That, in turn, they say, prevents automated systems that developers use to track known vulnerabilities in their offerings from identifying a critical vulnerability that’s under active exploitation. .
“Because the vulnerability is covered under the underlying product that contains the vulnerable dependency, the vulnerability will only be flagged by vulnerability scanners for these specific products,” Rezillion researchers wrote. Ofri Ouzan and Yotam Perkal. “This creates a HUGE blindspot for organizations that blindly rely on the output of their vulnerability scanner.”
Google was further criticized for limiting the scope of CVE-2023-4863 to Chrome rather than libwebp. Additionally, the official description describes the vulnerability as a heap buffer overflow in WebP in Google Chrome.
In an email, a Google representative wrote: “Many platforms implement WebP differently. We don’t have any details on how the bug affects other products. Our focus is on community fixes of Chromium and affected Chromium users as soon as possible. It is a best practice for software products to track the streaming libraries they rely on to get security fixes and enhancements.
The representative noted that the WebP image format is discussed in its disclosure and on the official CVE page. The representative did not explain why the official CVE and Google’s disclosure did not mention the widely used libwebp library or the possibility that other software could also be vulnerable.
A Google representative did not respond to a question asking whether CVE-2023-4863 and CVE-2023-41064 stem from the same vulnerability. Citizen Lab and Apple did not respond to questions emailed before this story went live.