Ask HN: How serious is the WebP bug?

5 points

3 years ago

I have not seen any in-depth coverage of this so I thought I would ask HN and perhaps people with more expertise can provide clarity.

For starters, the context:

https://news.ycombinator.com/item?id=37478403

https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html?m=1

https://nvd.nist.gov/vuln/detail/CVE-2023-4863

https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/

——————

Google themselves said in their update that they found the vulnerability thanks to Citizen Lab, does this mean that the CVE affects and can be exploited in more than just browsers - realistically speaking.

The CVE was assigned specifically to Chrome and it says “through a maliciously crafted HTML page”, but wasn’t the iOS bug specific to iMessage?

That is also the part I don’t understand fully.

Quite a few software/projects have pushed an update for their libwebp versions now, so that’s why I am curious.