Be Sure to Keep Your Eye on Vulnerabilities and Zero Day Alerts
Most people these days that are conscious of security and privacy will use Ad-Blockers and advanced settings in their browsers to block malicious downloads. But what they may not understand is that browsers frequently have bugs and errors by their developers, rendering them instantly vulnerable to attack despite these protections. This is the realm of ‘Zero Day’ threats, where users of a software application (in this case, your Web browser), have no prior warning to take action.
One Example: The WebP Library Bug
One example of this recently was the revelation of a critical flaw last October that allowed attackers to run malicious code on targeted devices. This affected not only ALL major Web browsers, but other applications using this very popular code library – which users assume are very secure. Examples here included:
- Telegraph
- 1Password
- Thunderbird
If you did not take immediate action, the probability of attack was high because attackers now all know about the vulnerability as well! Well, actually, they probably already knew and were exploiting it – which is how it got discovered by the ‘good guys’.
Keeping track of these kinds of things can be daunting. That’s why we created this handy search tool:
It pulls data from the Cybersecurity Infrastructure & Security Agency (CISA)’s Known Exploited Vulnerability (KEV) catalog, the authoritative source of vulnerabilities that have been exploited in the wild. This is a fantastic resource, but difficult to use and understand for non-technical people – who are often the ones at most risk! Therefore, we are developing this tool to make this important information more accessible and actionable to everyday users, small businesses, organizations and workgroups.
More Details on the WebP Zero Day Flaw
Wired Magazine
Unless you updated your browser in the past few days, it likely contains a critical flaw. The recently disclosed vulnerability exists in the WebP code library known as libwebp, which encodes and decodes images in the widely used WebP format. Known generally as a “heap buffer overflow,” the flaw can be exploited using a specially crafted malicious image, allowing an attacker to run malicious code on a targeted device. Google says the bug has already been exploited in the wild.
Initially identified early this week as a zero-day vulnerability in Google’s Chrome browser, the libwebp bug impacts browsers built using Chromium, which means Chrome, Mozilla’s Firefox, Microsoft Edge, Opera, Brave, and more. It also affects apps like Telegram, 1Password, Thunderbird, and Gimp. Patches for the flaw are rolling out now, so keep your eyes peeled for updates.
Stack Diary
A significant vulnerability in the WebP Codec has been unearthed, prompting major browser vendors, including Google and Mozilla, to expedite the release of updates to address the issue.
National Vulnerability Database
Go direct to the source if you are interested in the technical details and updates.