Google LLC, the Mozilla Foundation and other browser makers have released patches to fix a zero-day vulnerability affecting the WebP image format.

It’s believed that hackers are actively exploiting the flaw to launch cyberattacks. 

Google patched Chrome on Monday to fix the popular browser’s built-in WebP implementation. The Mozilla Foundation followed suit with a Firefox update on Tuesday. This morning, TechTarget reported that Microsoft Corp. has likewise released a WebP patch for Edge. 

Brave Software Inc. and Vivaldi Technologies AS, two other browser makers, also rolled out updates this week after determining their applications are affected. Moreover, it’s believed that the impact of the WebP vulnerability could extend beyond the browser ecosystem. The image format is supported by more than a dozen graphic design tools along with productivity applications such as LibreOffice.

The WebP security flaw is tracked as CVE-2023-4863. It’s rated as Critical, the highest possible severity level for a software vulnerability. In the blog post announcing its Chrome patch, Google detailed that the vulnerability was discovered by researchers at Apple Inc. and Citizen Lab. 

WebP is an image format that Google released in 2010. It’s partly based on VP8, a technology that compresses video files to reduce the amount of storage capacity they require. WebP is positioned as an alternative to other image formats such as the JPEG, PNG and GIF standards.

The flagship feature of WebP is it requires less storage space than some competing technologies. Switching an image from JPEG to WebP can reduce its storage footprint by more than 30%, which makes websites that use the format load faster. Additionally, the technology supports both static images and animations, which typically have to be stored in separate formats.

Google didn’t go into detail about the technical aspects of the newly disclosed WebP vulnerability. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” the company stated. However, Google did divulge that the vulnerability involves a type of memory error known as a heap buffer overflow.

Browsers and other programs are allocated memory for use in computations by the operating system on which they run. Upon launching, an application divides the memory it receives into so-called segments. Each such segment contains a small portion of the application’s data. 

A buffer overflow occurs when more data is inputted into a memory segment than it can accommodate. In such situations, the excess data overwrites the information stored by neighboring memory segments. Hackers can exploit that phenomenon to overwrite sensitive components of a program with malicious code.

The buffer overflow vulnerability in WebP affects a portion of programs’ memory that is known as the heap. It typically stores data that an application uses for an extended amount of time. Other types of data assets are stored in the so-called stack, a portion of programs’ memory that has different technical characteristics.

Buffer overflow vulnerabilities are discovered in popular browsers from time to time. Last November, Google fixed such a vulnerability in the desktop version of Chrome. A few months earlier, a buffer overflow issue was found in Apple’s competing Safari browser. 

Image: Unsplash