All major browsers were required to release a security patch this week. Hackers insert malicious code into WebP files to compromise storage.

The vulnerability is called CVE-2023-4863 and although no rating has been calculated yet, NIST considers the flaw to be very serious. Google also warns against active abuse of the security hole. Attackers create malicious WebP files to create a Heap buffer overflow cause. The WebP protocol is a popular standard for loading media files on websites. Google introduced WebP around 2010 to make attachments easier and improve website load times.

Hackers seeking to exploit the vulnerability try to fill WebP files as full of malicious code as possible in order to cause a browser memory “overflow” when the file is loaded. The “good” code is then replaced by the malicious code, which allows attackers to take control of your device.

Quick response

Fortunately, there was a unanimous, quick reaction from the browser landscape. The patches released this week make it clear how widespread the vulnerability is. Google was the first to release an update for Chrome on Monday, followed this week by Microsoft, Mozilla and Brave.

In order to safely load WebP files, the above browsers must be updated to the following versions:

• Google Chrome: Version 116.0.5845.187/.188 (Windows) or Version 116.0.5846.187 (Mac/Linux)
• Firefox: Version 117.0.1
• Microsoft Edge: Version 116.0.1938.81
• Brave: Version 1.57.64

The impact of the security flaw even extends beyond the browser landscape. The messaging apps Signal and Telegram also had to roll out an emergency patch this week, as did Microsoft 365 competitor LibreOffice.