• Tibert@compuverse.uk
    link
    fedilink
    arrow-up
    34
    ·
    1 year ago

    The bad news is that Android is still likely affected. Similar to Apple’s ImageIO, Android has a facility called the BitmapFactory that handles image decoding, and of course libwebp is supported. As of today, Android hasn’t released a security bulletin that includes a fix for CVE-2023-4863 – although the fix has been merged into AOSP. To put this in context: if this bug does affect Android, then it could potentially be turned into a remote exploit for apps like Signal and WhatsApp. I’d expect it to be fixed in the October bulletin.

    So a no-click device hack?

    • Radiant_sir_radiant@beehaw.org
      link
      fedilink
      arrow-up
      8
      ·
      1 year ago

      If I understand the article right, it’s more of a no-click hack for any single app that the attacker cat get to display an image. Stepping out of the app’s sandbox would need another exploit.
      Still bad enough though.

    • It’s the same exploit that got parched for iOS iMessage a while back. Most apps parsing WebP images have this library in use somewhere, and any of those apps can be tricked into executing malicious code by parsing the image.

      Depending on the app, the impact may be small (only parsing it when you try to open the file, for example) or it could be a silent killer if the image gets parsed the moment a message is received (what iMessage did and what various other apps probably also do).

      The update has been out for a while, so as long as you update your apps regularly you’re probably not on any danger. Attackers will need a second exploit to get privilege escalation and do anything useful on mobile operating systems and sandboxed applications (UWP/Flatpak/Snap).

    • Lojcs@lemm.ee
      link
      fedilink
      arrow-up
      5
      ·
      1 year ago

      Not a device hack, I don’t think it could escalate but it could cause damage otherwise.