Jump to content

Webp Virus, fears, nightmares, suggestions, or exodus from the internet?

Dixel

By Dixel
in Web Browsers

 Share

Recommended Posts

Dixel

Dixel

Posted
  • Author
Posted
On 9/18/2023 at 9:04 AM, rereser said:

New Moon 28 with setting "image.webp.enabled" to false :
webp images on https://developers.google.com/speed/webp/gallery1 are not loaded , so that works.

when testing 360Chrome 13.5.2036 against the amiunique.org site , the http header is changed after the dll edit as you posted.
but the webp images on developers.google.com are still displayed.

https://superuser.com/questions/1179401/how-to-disable-webp-images-in-chrome
the suggestion posted here : change the "Accept Request Header" and the "user agent" to a non webp supported browser also has no effect on 360Chrome.

just my results as you requested.

my opinion : this "threat" will vanish as soon as it became public.
with every major browser now patched , software and even on the OS level there is nothing to exploit.
the "common user" is not even the target.

In this a case, maybe try to make it shorter?

If you patched the header with new method, can also test it here.

https://swifttls.org/

My result below.

swifttls.org.png

5
Link to comment
Share on other sites

NotHereToPlayGames

NotHereToPlayGames

Posted
Posted

This is not going to be "for everyone", some folks believe in every "scare tactic" thrown at them.

But "for me", I'm opting to do NOTHING in regards to this Weppy Scare.  My computer does NOT protect against Meltdown and Spectre and it will also NOT protect against Weppy.

We used to have a saying, "Practice Safe Hex".  I've never been hit with a virus or malware and I don't visit the sorts of web sites where one is prone to these "dark shadows".

To each their own, of course.  But to me, this is just hype and propaganda.  Much ado about nothing.  Mileage may vary.

Link to comment
Share on other sites
NotHereToPlayGames

NotHereToPlayGames

Posted
Posted

Actually, allow me to rephrase that.

We (the sort of folks that become members of forums such as MSFN) may not agree on MVPS Hosts versus hardware firewall versus software firewall versus real-time full-time anti-virus versus on-demand malware scans versus Proxomitron versus uBO versus uMatrix versus DoH versus NoScript verus HTTPS Everywhere versus a hundred different things, but what we all do have in common is that we do Practice Safe Hex in our own preferred ways.

I'll use uBO as an example.  While this "Weppy Scare" does supposedly exist "in the wild", my hunch is that their is a uBO "list" that already safeguards from the "in the wild" web site that technically only exists "in theory".

I wouldn't mind knowing EXACTLY where this "in the wild" actually IS.  But they never seem to tell you that, it's just the normal "update now!" routine, "You are not safe unless you update now!  Update your OS!  Update your browser!  Update Now!"

"Blah blah blah" - https://www.youtube.com/watch?v=mfJhMfOPWdE

Link to comment
Share on other sites
Dixel

Dixel

Posted
  • Author
Posted
7 hours ago, NotHereToPlayGames said:

I'm opting to do NOTHING in regards to this Weppy Scare.

And what if people just want to block it due to the crappy quality?

"I hate webp with every fiber of my being......"

"it's F...ing everywhere now. and they look like crap. id*** putting up low res webp's and just dynamicly upscaling them to fit. And it look sh*t. Blurry as hell, smudged...

People have even begun using them in renpy games or rpgm, or any other game they are able to get it to work in."

"It's just bad, even colours look a little off in them"

https://www.reddit.com/r/chrome/comments/btblqh/how_do_i_disable_webp/

 

3
Link to comment
Share on other sites
NotHereToPlayGames

NotHereToPlayGames

Posted
Posted

Totally agreed.  It's like anti-alias sub-pixel fonts.  I get migraines from anti-alias sub-pixel fonts and most of my coworkers can't even "see" the difference.

I've also noticed those crappy quality images even here at MSFN.  But they weren't .webp at the time, they were .png images and it was tied to what they used in order to do the screencap.

It doesn't seem that widespread to me.  My news and financial web sites don't rely on .webp as they are not that graphic-intensive.  And I don't do games, so no frame of reference there.

It is extremely surprising that even if I set up an "accept" header that should indicate "don't serve me weppy", the web sites IGNORE the "accept" header and serve them anyway.    :realmad:

Link to comment
Share on other sites
Tripredacus

Tripredacus

Posted
Posted
10 hours ago, Dixel said:

Yep, looks like you're right, I don't see any links to the actual webp they declare to "test", I switched to basic HTML to show it, but for some reason it is now in German!

German.png

The link posted above does not fully encapsulate the URL leaving off the locale part, and it seems like that site default to German (de) if the locale is not used.

Link to comment
Share on other sites
UCyborg

UCyborg

Posted
Posted (edited)

I won't pretend I'm 100% safe, the danger could always strike from anywhere. Though the few websites I normally visit don't seem to depend on WebP images, I tried browsing a bit with SeaMonkey, Pale Moon no longer has the pref to turn WebP support off.

On the topic of security exploits, I've read (certain?) older Call of Duty games have some nasty remote code execution exploits that according to the some discussions have been used in the wild, it's the case for releases starting from 2009 or so at least. Strange feeling reading about them, I played those online a lot in the good 'ol days.

Just mentioning it due to similarity that you don't really have to "do anything wrong", just appear in the wrong lobby at the wrong time and strange things may start to happen on your computer.

12 hours ago, NotHereToPlayGames said:

"Practice Safe Hex"

:buehehe:

First time I hear that phrase.

Edited by UCyborg
1
Link to comment
Share on other sites
  • 2 months later...
Mathwiz

Mathwiz

Posted
Posted (edited)
On 9/20/2023 at 2:45 AM, NotHereToPlayGames said:

While this "Weppy Scare" does supposedly exist "in the wild", my hunch is that their is a uBO "list" that already safeguards from the "in the wild" web site that technically only exists "in theory".

I wouldn't mind knowing EXACTLY where this "in the wild" actually IS.  But they never seem to tell you that, it's just the normal "update now!" routine, "You are not safe unless you update now! Update your OS!  Update your browser!  Update Now!"

I read quite a bit about this vulnerability back when it came to our attention. AIUI, the "in the wild" exploit was a spear-phish - it was used to spy on a specific individual via his smart phone. I don't believe the target's name was revealed, for obvious privacy reasons. Edit: According to this Cloudflare blog post:

Quote

In early September, Citizen Lab, a research lab based out of the University of Toronto, reported on an apparent exploit that was being used to attempt to install spyware on the iPhone of "an individual employed by a Washington DC-based civil society organization."

Spear-phishing is usually done by email, so a Web browser may not have been involved at all. But, unlike with a typical email phish, this victim didn't need to click a link, open an attachment, or respond to the email in any way. And the malicious WebP was likely an innocuous, or possibly even invisible, image.

On 9/19/2023 at 6:34 AM, j7n said:

Any webp file I open on my computer in IrfanView I would have intentionally saved because it had real content.

But you're assuming that a malicious WebP file could not also contain a real image. I don't believe that's been shown to be the case.

That, I think, is what folks don't get about this vulnerability. Anyone could unknowingly be spreading malware simply by sharing a cool image or posting it to social media. (I would hope that most social media companies scan uploaded WebP's for the exploit nowadays, but I wouldn't bet on it.) Maybe your browser is patched, but if you download it and your photo viewer isn't patched, bam!

Edited by Mathwiz
Link to comment
Share on other sites
Mathwiz

Mathwiz

Posted
Posted
On 9/19/2023 at 5:38 AM, Dixel said:

" security fix for lossless decoder"  lossless?

WebP is a combination of two different image formats: a lossy format similar to JPEG using VP8 codec, and a lossless format using WebP's custom lossless codec. The bug was in the lossless codec's handling of Huffman coding.

Link to comment
Share on other sites
j7n

j7n

Posted
Posted

Do you think the virus could equally run in any program capable of dispaying WebP, or does it have to be crafted to attack a specific web browser? I'll admit, I don't understand the technical details. But once the program overflows in attempt to run the virus, the image viewer is likely to become corrupted. They only need to runt he virus once to do it job.

I've not yet encountered new viruses. I only recently updated New Moon, and still use Opera 12 and Opium 93.0.

Link to comment
Share on other sites
D.Draker

D.Draker

Posted
Posted
9 hours ago, Mathwiz said:

a lossless format using WebP's custom lossless codec. The bug was in the lossless codec's handling of Huffman coding.

WebP's custom lossless codec (with that well known bug) not only extremely rare, but most importantly isn't relevant to this discussion, since none of the websites serve it.

3
Link to comment
Share on other sites
Mathwiz

Mathwiz

Posted
Posted (edited)

@j7n: I think an exploit would have to be specific to at least the OS; probably also to the program that displays the malicious image. Since most folks are using updated browsers and image display programs now, I think the danger of a "generic" virus being passed around is now rather small, although not zero. No hackers are trying to spread ransomware among the tiny numbers of XP and Vista users any more.

I think the greatest risk to XP and Vista users is from spear-phishing. Don't think you're an unlikely target just because you aren't a criminal and therefore "have nothing to hide." If you have access to confidential information at your job, if you have a jealous/suspicious spouse or partner (even if the suspicions are unjustified), or even if you hold unpopular political opinions, there are folks with reason to spear-phish you.

Those folks would likely know that you use older, unpatched software because the newer, patched versions don't run on XP or Vista. A hacker could use that knowledge to craft a malicious WebP image and send it to you in an email. If the WebP image is part of the email itself (as opposed to just a link) your email client (which could be a Web browser using Web mail) wouldn't even give a warning before trying to display it. You would be vulnerable if your email client or browser is new enough to use the "optimized" libwebp from 2014, but not new enough to have the patch from this September.

But as far as using an unpatched browser, I think the danger is small; mostly from sites where user-created images could be hosted, such as social media, fora (like MSFN!) and/or Web mail. So you should be reasonably safe using unpatched browsers like 360EE, Kafan, etc., as long as you don't use them for those kinds of sites.

Edited by Mathwiz
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...