Webp Virus, fears, nightmares, suggestions, or exodus from the internet?

[Dixel]

I can suggest, as a quick fix, to search chrome.dll and replace all occurrences of "webp,image" with "apng,image", without quotes. Use any HEX edit software, make a backup before!

With this dirty, nasty hack, your browser supposed to not accept webp virus, though I don't know if the website you visit don't support any other formats, so test it and report here!

You aren't losing anything, since it's a junk, low quality format, to begin with.

And what are you gonna do? Please share your fears, suggestions, opinions.

Check here:

OLD (before the edit)

image/avif,image/webp,image/apng,image/svg+xml,image/

NEW (after the edit)

image/avif,image/apng,image/apng,image/svg+xml,image/

https://www.amiunique.org/fingerprint

This will make you unique, so proceed with caution, good luck!

[Dixel]

Placeholder.

[NotHereToPlayGames]

26 minutes ago, Dixel said:

I can suggest, as a quick fix, to search chrome.dll and replace all occurrences of "webp,image" with "apng,image", without quotes.

[Tripredacus]

Webp being such a terrible idea, how about any methods to block it at the OS level, no matter what browser you are using? Since as I am reading, the WEBP vulnerability is not limited to Chrome or even Windows.

[rereser]

this dll edit does nothing for me on 360Chrome 13.5.2036.

test : https://developers.google.com/speed/webp/gallery1

Edited September 18 by rereser

[Dixel]

What does the test page tell you? Post the screenshot please.

Did you disable Client Hints? 

After the edit it should be.

image/avif,image/apng,image/apng,image/svg+xml,image/

It's the header which tells the sites what's your browser can accept.

[NotHereToPlayGames]

6 minutes ago, Dixel said:

It's the header which tells the sites what's your browser can accept.

Agreed.  A very easy fix using Proxomitron.  At least it should be, I haven't tried as of yet.

[Dixel]

3 hours ago, Tripredacus said:

Webp being such a terrible idea, how about any methods to block it at the OS level, no matter what browser you are using? Since as I am reading, the WEBP vulnerability is not limited to Chrome or even Windows.

Obviously don't use Windows gallery anymore, pick some old software without webp format, to browse pics on your PC/laptop. Then make that programme default, so you won't accidentally open webp with native windows tools.

I use the famous German NERO 8 (yes very old, 2007 or so). It doesn't know what webp is, so If I click on webp, even without extension, it doesn't know what to do with it.

[Dixel]

3 hours ago, Tripredacus said:

Webp being such a terrible idea, how about any methods to block it at the OS level, 

At the OS level, uninstall all third party codecs, if you have any, ASAP. Any codec sets that add webp codec to the OS (K-lite and the such). Also, I suggest to uninstall all VP8 codec iterations, since it's basically the same with webp.

For example, the famous French VLC player doesn't need any codecs in the system, it has its own.

[rereser]

New Moon 28 with setting "image.webp.enabled" to false :
webp images on https://developers.google.com/speed/webp/gallery1 are not loaded , so that works.

when testing 360Chrome 13.5.2036 against the amiunique.org site , the http header is changed after the dll edit as you posted.
but the webp images on developers.google.com are still displayed.

https://superuser.com/questions/1179401/how-to-disable-webp-images-in-chrome
the suggestion posted here : change the "Accept Request Header" and the "user agent" to a non webp supported browser also has no effect on 360Chrome.

just my results as you requested.

my opinion : this "threat" will vanish as soon as it became public.
with every major browser now patched , software and even on the OS level there is nothing to exploit.
the "common user" is not even the target.

Edited September 18 by rereser

[UCyborg]

I vote for exodus from the internet.

But if that's not possible, cut the internet use to the minimum, especially over-engineered complex websites, use less known web browsers, less known OS etc.

In the grand scheme of things, this vulnerability is already history. They won't target some weirdos holding onto historic OS/browsers. Surely some new one may appear some day, for that case, read the previous paragraph again.

Edited September 18 by UCyborg

[AstroSkipper]

42 minutes ago, rereser said:

New Moon 28 with setting "image.webp.enabled" to false :
webp images on https://developers.google.com/speed/webp/gallery1 are not loaded , so that works.

@roytam1 has already fixed this security vulnerability in his latest release of New Moon 28:

On 9/16/2023 at 1:36 AM, roytam1 said:

New build of Serpent/UXP for XP!

Test binary:
Win32 https://o.rthost.win/basilisk/basilisk52-g4.8.win32-git-20230916-3219d2d-uxp-58a39ca8cb-xpmod.7z
Win64 https://o.rthost.win/basilisk/basilisk52-g4.8.win64-git-20230916-3219d2d-uxp-58a39ca8cb-xpmod.7z

source code that is comparable to my current working tree is available here: https://github.com/roytam1/UXP/commits/custom

IA32 Win32 https://o.rthost.win/basilisk/basilisk52-g4.8.win32-git-20230916-3219d2d-uxp-58a39ca8cb-xpmod-ia32.7z

source code that is comparable to my current working tree is available here: https://github.com/roytam1/UXP/commits/ia32

NM28XP build:
Win32 https://o.rthost.win/palemoon/palemoon-28.10.7a1.win32-git-20230916-d849524bd-uxp-58a39ca8cb-xpmod.7z
Win32 IA32 https://o.rthost.win/palemoon/palemoon-28.10.7a1.win32-git-20230916-d849524bd-uxp-58a39ca8cb-xpmod-ia32.7z
Win32 SSE https://o.rthost.win/palemoon/palemoon-28.10.7a1.win32-git-20230916-d849524bd-uxp-58a39ca8cb-xpmod-sse.7z
Win64 https://o.rthost.win/palemoon/palemoon-28.10.7a1.win64-git-20230916-d849524bd-uxp-58a39ca8cb-xpmod.7z

Official UXP changes picked since my last build:
- Issue #2301 - Make Gecko Media Plugins optional when not building EME or WebRTC (9e7d1492e6)
- Issue #2309 - Cherry-pick upstream libwebp fix. (20b69d7ddc)

No official Pale-Moon changes picked since my last build.

No official Basilisk changes picked since my last build.

My changes picked since my last build:
- [libwebp] Fix OOB write in BuildHuffmanTable. (61de658e45)
- [libwebp] Fix invalid incremental decoding check. (3b44f9850e)
- configure: move MOZ_GMP define block after MOZ_EME (f5cacdadbf)
- dom/media: more eme fixes (58a39ca8cb)

Update Notice:
- You may delete file named icudt*.dat inside program folder when updating from old releases.

* Notice: From now on, UXP rev will point to `custom` branch of my UXP repo instead of MCP UXP repo, while "official UXP changes" shows only `tracking` branch changes.

Therefore, setting the pref image.webp.enabled to false is not really needed anymore.

Edited September 18 by AstroSkipper

[Sampei.Nihira]

For you who use browsers that are probably not already patched, I am including the fix that is valid for Chromium-based browsers:

https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a

https://github.com/webmproject/libwebp/releases/tag/v1.3.2

 

For Firefox:

https://hg.mozilla.org/releases/mozilla-release/rev/e245ca2125a6eb1e2d08cc9e5824f15e1e67a566

 

P.S.

Pale Moon has already fixed this vulnerability.

Edited September 19 by Sampei.Nihira

[jaclaz]

It seems the issue is way more common than Chrome/Chromium :

https://adamcaudill.com/2023/09/14/whose-cve-is-it-anyway/

jaclaz

 

[Dixel]

4 hours ago, Sampei.Nihira said:

https://github.com/webmproject/libwebp/releases/tag/v1.3.2

 

" security fix for lossless decoder"  lossless?