Risk level 10: Critical security hole affects widespread software

Google has given an already-known security vulnerability a new CVE ID with the highest severity level. The reason for this is that the vulnerability, originally classified as a Chrome bug, affects significantly more applications, because it’s a WebP vulnerability instead.

The WebP image file format is particularly popular on the web because it offers a good balance between storage size and quality. But the vulnerability allows attackers to use a specially crafted WebP image to create a heap buffer overflow and execute malicious code. To do this, the image must be opened in an application; in browsers, simply calling up a website is sufficient. The code executed in the background can then install malware, for example.

Numerous known applications affected

The vulnerability, which was discovered by Apple’s Security Engineering and Architecture (SEAR) and the Citizen Lab at the University of Toronto’s Munk School, was initially wrongly classified as a pure Chrome bug; common web browsers were quickly protected with a security update. But as it has now turned out, significantly more applications are also affected.

The vulnerability is related to the open Libwebp library, which is used by numerous programs. Thus, applications such as Gimp, Libreoffice, Telegram, 1Password and many others could also become targets of an attack. As a result, the CVSS, a standardized score for evaluating security vulnerabilities, has been raised to the highest level 10.0.

How to protect yourself

As a user, you basically have only one way to protect yourself from this vulnerability: Make sure you have the latest patches installed. Many affected applications have already released security updates that close the security hole, including browsers and Libreoffice.

Otherwise, what should always apply when surfing the net still applies here. Do not download files from unknown sources, and make sure that links in emails only lead to trusted sites.