The end of last week, two vulnerabilities that could affect many business systems were discovered. These are classified as CVE-2023-4863 (libwebp) and  CVE-2023-5217 (libvpx), they are outlined on the National Vulnerability Database website.  The impact of these vulnerabilities is extremely serious: Successful exploitation could potentially result in attackers taking control of a system, executing arbitrary code, and accessing sensitive user data.

A list of currently known standard business programs affected is below.  Many of the vendors responsible for that software have already begun releasing patches to fix the vulnerability, so it is highly recommended that you relaunch all web browsers to ensure the patches complete installation.  Rebooting your computer is also advised, as it will allow all pending Windows updates and various third party patches to finish installing.

Currently Confirmed Vulnerable Applications:   (Updated Monday October 2nd)

  • Google Chrome
  • Firefox
  • Safari
  • Microsoft Edge
  • Microsoft Teams
  • Discord
  • Skype
  • Slack
  • Opera Browser
  • LibreOffice
  • 1Password
  • Bitwarden
  • Gimp
  • CrashPlan

 

This list is being compiled from various security industry sites and forums, and is based on applications known to use either the libwebp or libvpx open source libraries. Should we learn of other major software vendors or programs being affected, we will update this blog post and list them accordingly.  In the meantime, work with your IT Service Provider to be sure your systems are fully updated and patched.

Links to explanations of the discovered vulnerabilities:

A new Chrome 0-day is sending the Internet into a new chapter of Groundhog Day

Google quietly corrects previously submitted disclosure for critical webp 0-day