Technology

37603 readers

513 users here now

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago

MODERATORS

[email protected]

Google assigns a CVE for libwebp and gives it a 10.0 score (stackdiary.com)

submitted 11 months ago by [email protected] to c/[email protected]

3 comments fedilink hide all child comments

all 4 comments

sorted by: hot top controversial new old

[–] [email protected] 34 points 11 months ago (3 children)

The bad news is that Android is still likely affected. Similar to Apple's ImageIO, Android has a facility called the BitmapFactory that handles image decoding, and of course libwebp is supported. As of today, Android hasn't released a security bulletin that includes a fix for CVE-2023-4863 -- although the fix has been merged into AOSP. To put this in context: if this bug does affect Android, then it could potentially be turned into a remote exploit for apps like Signal and WhatsApp. I'd expect it to be fixed in the October bulletin.

So a no-click device hack?

[–] [email protected] 8 points 11 months ago

If I understand the article right, it's more of a no-click hack for any single app that the attacker cat get to display an image. Stepping out of the app's sandbox would need another exploit.
Still bad enough though.

[–] [email protected] 5 points 11 months ago

Not a device hack, I don't think it could escalate but it could cause damage otherwise.