Webp Virus, fears, nightmares, suggestions, or exodus from the internet?

[Mathwiz]

Just to show the skeptics that the vulnerability is real and not mere fearmongering, you can download a "bad" WebP image here:

https://github.com/mistymntncop/CVE-2023-4863/raw/main/bad.webp

Important note: This WebP file does not contain any malware or exploit code! I wouldn't link to such a thing here on MSFN, even with a warning (and if it did, I don't think GitHub would allow it anyway). But it does trigger a buffer overflow in unpatched software, likely leading the software to crash. (For example, I got the "Aw, snap!" page in 360EE.) Therefore, you can use this as a "quick-and-dirty" test for vulnerable, unpatched software.

On patched software (I used @roytam1's Serpent 55) the image displays a hard-to-read, black-on-grey image of the text of the above URL, showing that in theory, a WebP file can both contain actual content and exploit the overflow bug.

I was pleased that Microsoft Security Essentials on Windows 7 detects the problem with the file and quarantines it! I'm not sure how thorough MSE's scanning is, but if you have Windows 7, it appears that MSE (which is free AV software from Microsoft) will keep you safe from (at least) downloading a file with this exploit. I don't say this often, but hooray Microsoft!

Also, the fact that MSE can successfully scan WebP files for this issue implies that other Web sites should be doing the same thing. Now I don't know for sure that they all do, but it gives me some confidence that a malicious WebP will be caught before it can spread over social media. Email providers should be doing the same, of course. So that makes WebP seem a lot less scary than it was in September.

I'm not sure which, if any, AV products will do the same for XP or Vista. That might be worth testing.

Edited December 3, 2023 by Mathwiz

[NotHereToPlayGames]

Thanks.

I do have a file called libwebp-1.3.2 - webp patch.zip (I don't recall if I renamed it on my end or not) that was provided by an MSFN Member for the purposes of patching 360Chrome.

But that same MSFN Member has not answered any PMs since October 1 (the timestamp on my downloaded patch which inside is dated September 13).

So this seems to have fallen upon a degree of "I have to teach myself how to implement the patch" which is simply not a priority "in my life".

Maybe some day - because I felt "safe" on XP because hackers tend not to waste their time with such a small subset of society, but I do not have the sense of security (real or perceived) now that I'm on Win10.

[D.Draker]

3 hours ago, NotHereToPlayGames said:

Thanks.

I do have a file called libwebp-1.3.2 - webp patch.zip (I don't recall if I renamed it on my end or not) that was provided by an MSFN Member for the purposes of patching 360Chrome.

But that same MSFN Member has not answered any PMs since October 1 (the timestamp on my downloaded patch which inside is dated September 13).

So this seems to have fallen upon a degree of "I have to teach myself how to implement the patch" which is simply not a priority "in my life".

Maybe some day - because I felt "safe" on XP because hackers tend not to waste their time with such a small subset of society, but I do not have the sense of security (real or perceived) now that I'm on Win10.

Not every member prefers PMs, I can even relate to this. But why won't you ask him in public then?

I mean, it's a clearly on-topic, public issue, most importantly: that member shared the patch publicly! Quote from his post.

"For you who use browsers that are probably not already patched, I am including the fix that is valid for Chromium-based browsers":

https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a

https://github.com/webmproject/libwebp/releases/tag/v1.3.2

Link to the original post.

https://msfn.org/board/topic/185031-webp-virus-fears-nightmares-suggestions-or-exodus-from-the-internet/?do=findComment&comment=1252144

[NotHereToPlayGames]

6 minutes ago, D.Draker said:

Not every member prefers PMs

Agreed.  I'm actually one of them.  It would take two hands and one foot to count the digits of times where MSFN Members have "disliked" the manner in which my OCD manages my PMs.  "Not my problem"  

At any rate - @Sampei.Nihira, any guidance you may have on implementing the webp patch for 360Chrome browsers would be helpful.

I could very likely "learn it" on my own, to be honest, but the priority on doing that is very very VERY low and other 360Chrome users would "probably" prefer to not wait that long, lol.

[Sampei.Nihira]

Usually it is the providers of the browsers that have to report whether their browser is vulnerable.
So first we need to know if the browser (which seems to me to be closed code) has received the patch.

https://www.akamai.com/blog/security-research/guidance-on-critical-chrome-vulnerabilities-libwebp-and-libvpx

https://blog.isosceles.com/the-webp-0day/

Browser development was not my area of work,so you have to ask the appropriate people.

I once provided a patch to Roytam for Thunderbird OAUTH support to apply to MailNews.
But then he was the one who implemented it.

Ask here:

https://groups.google.com/a/webmproject.org/g/webp-discuss

 

P.S.

As I wrote you in the private message I retired.

Edited December 4, 2023 by Sampei.Nihira

[Dixel]

17 hours ago, Mathwiz said:

Also, the fact that MSE can successfully scan WebP files for this issue implies that other Web sites should be doing the same thing. Now I don't know for sure that they all do, but it gives me some confidence that a malicious WebP will be caught before it can spread over social media.

Many servers run on Linux, not Windows.

[Sampei.Nihira]

Even if it seems excessive to me, who believes that their browser has not received the patch or has no confidence in the anti-exploit/malwares installed can insert this rule in my filters in uBlock Origin:

 

||*.webp^$script,document,important

As you well know the parameter "important" prevents any exception, if for you it is too restrictive can be eliminated.

P.S.

Who wants to take a test:

https://developers.google.com/speed/webp/gallery1?hl=en

Edited December 4, 2023 by Sampei.Nihira

[Dixel]

3 hours ago, Sampei.Nihira said:

Even if it seems excessive to me, who believes that their browser has not received the patch or has no confidence in the anti-exploit/malwares installed can insert this rule in my filters in uBlock Origin:

 

||*.webp^$script,document,important

As you well know the parameter "important" prevents any exception, if for you it is too restrictive can be eliminated.

P.S.

Who wants to take a test:

https://developers.google.com/speed/webp/gallery1?hl=en

This simply leads to an empty window, where the image supposed to be. Seems rather desperate, sorry. 

[Sampei.Nihira]

[Dixel]

3 hours ago, Sampei.Nihira said:

 

Well, yeah, that's exactly what I'm talking about, it simply won't load the image, it prevents it from loading at all, with many websites using only WebP - this doesn't look like a fix.

[Sampei.Nihira]

Of course it’s not a fix.
But it prevents a possible compromise of the Operating System in unpatched browsers.

Who needs the fix (I don’t) look for other remedies.

Good evening.

[Karla Sleutel]

Am I safe on Brave 1.50.xx? It runs on Chromium 110.

[Dixel]

8 hours ago, Karla Sleutel said:

Am I safe on Brave 1.50.xx? It runs on Chromium 110.

Hard to tell, depends on whether they bothered themselves to patch that 1 year old version, which I doubt.

On the other hand, there was a patch for even older chrome 109, so who knows.

If it's a nightly version, then most certainly - no.

Their nightly, I'f I'm not mistaken, started to get these patches in 118.

[dmiranda]

On 12/3/2023 at 8:23 PM, Mathwiz said:

Just to show the skeptics that the vulnerability is real and not mere fearmongering, you can download a "bad" WebP image here:

I just get the image attached, no crash, nothing, on sp52 hardened to boot.

PS: I get the same thing in my social media profile where I visit all the bad bloated fellas, safely enough, apparently.

Edited December 5, 2023 by dmiranda

[dmiranda]

On 12/4/2023 at 2:06 PM, Dixel said:

Well, yeah, that's exactly what I'm talking about, it simply won't load the image, it prevents it from loading at all, with many websites using only WebP - this doesn't look like a fix.

Well, time for those sites to change their practices, period. I ceased to use flash, webgl almost decades ago. I don't think I missed anything of importance. As any M.D (even more if s/he has a PhD) would say: if drinking wine makes you ill, don't drink it.

PS: but if you have to, the suggested ublock fix allows you to satisfy your thirst, anyway. Just allow the glass to reach your lips temporarily or permanently. Hic!

 

Edited December 5, 2023 by dmiranda