Patches for major security flaw rolling out, update browsers and apps

Chrome, Firefox, Edge, Signal, and more are pushing updates to protect against a WebP security vulnerability

A major security vulnerability discovered in the WebP Codec has sent software makes scrambling to release patches — and you should be installing updates to protect yourself.

The issue is somewhat complicated, but Stack Diary has an excellent breakdown of what’s going on — you can find that here. In short, the WebP Codec, which is used to help your device understand and display WebP images, has a heap buffer overflow vulnerability that could enable an attacker to take control of your system, steal data, or introduce malware.

Considering WebP is a widely-used image format online, the vulnerability is very severe. Moreover, software makers are aware that the vulnerability has actively been exploited. Thankfully, patches are already rolling out to address the issue.

First up, browser makers have issued critical security patches to address the vulnerability, so you’ll want to make sure your browser is updated accordingly:

  • Chrome: Windows version: 116.0.5845.187/.188 | Mac/Linux version: 116.0.5846.187
  • Edge: Version 116.0.1938.81
  • Firefox: Version 117.01, ESR version 102.15.1 or version 115.2.1
  • Brave: version 1.57.64

The Verge also notes that Apple released a security patch for macOS that appears to address the issue, though Apple’s patch references a different issue number than the one listed by the U.S. National Institute of Standards and Technology (NIST).

Stack Diary also warned that several apps are impacted and some have already pushed updates. Encrypted messaging app Signal and image viewing app Honeyview have received patches for the vulnerability. Other impacted apps include Affinity, Gimp, LibreOffice, Telegram, and many other Android apps and cross-platform apps built with Flutter.

As such, you’ll want to watch out for security patches and updates for many of your apps and make sure you’re updating things regularly over the coming days.

Source: NIST, Stack Diary Via: The Verge