this post was submitted on 29 Sep 2023
406 points (95.1% liked)

Technology

60084 readers
4914 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 2 years ago
MODERATORS
 

Any Chromium and Firefox browser prior to version 116 will be vulnerable to this, update your browsers.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 20 points 1 year ago (2 children)

What about webview-based browsers in android phones?

[–] [email protected] 15 points 1 year ago (2 children)

As far as I'm aware this does affect Android and is not currently fixed. It's expected to be fixed in the October security patch.

This is just my memory of reading weeks ago. Someone else may know better.

[–] 9point6 9 points 1 year ago (1 children)

The Android webview is updated through the play store as of a few years ago

[–] [email protected] 4 points 1 year ago

I believe the libwebp is implemented at the OS level. Again someone else may know better.

[–] TakingOnWater 1 points 1 year ago

So if the phone gets a security update for this at the OS level, should we theoretically be safe to use apps with any sort of browser functionality? Like some apps that don't update, or are no longer being maintained, etc

[–] GamingChairModel 5 points 1 year ago

This isn't just a browser vulnerability. It's a vulnerability at a much more fundamental level, which is why it's so critical. It's a vulnerability in how almost every piece of software processes a widely supported image format, so anything that touches images is potentially at risk: browsers, chat or messaging apps, file browsers, or really anything that uses thumbnails or image previews, including some core OS functionality. On the server side, you've got anything that makes thumbnails and previews, too.

We should wait and see whether there are any practical attacks outside the browser context (maybe the malicious code needs to be placed in a web page that displays the malicious image file, or maybe they need to figure out a way to actually put all the malicious code in the image file itself). But the vulnerability itself is in a fundamental library used by a lot more software.