Urgent Security Updates: Apple and Google Tackle Zero-Day Exploits

Politics, News Sept. 15, 2023, 4:41 a.m.

Apple and Google swiftly respond to zero-day exploits in iOS and Chrome, addressing vulnerabilities involving image formats. Security updates for various browsers and software are recommended.

Apple recently released iOS 16.6.1 to address a critical zero-day exploit involving ImageIO, and now Google has hurriedly rolled out an emergency security update for Chrome users to tackle a zero-day threat affecting the WebP image format. What's intriguing is the timing and similarities between these two security responses.

Just days after Apple's iOS update, Google's emergency security patch for Chrome comes in response to a zero-day threat associated with the WebP image format. Both companies have been tight-lipped about the technical specifics of these zero-day vulnerabilities to prevent further exploitation while users update their devices. However, reports indicate that CVE-2023-41064, the vulnerability addressed by Apple, could potentially allow malicious code execution through manipulated images. This vulnerability was exploited in an attack known as BLASTPASS, which leveraged PassKit attachments containing malicious images, according to Citizen Lab.

On the other hand, the Chrome zero-day, identified as CVE-2023-4863, pertains to a heap buffer overflow issue in the WebP image format. Although not confirmed yet, an exploit could potentially enable a zero-click attack when visiting a website containing a malicious image. Interestingly, the BLASTPASS exploit was also a zero-click attack capable of compromising iPhones without any user interaction, as reported by Citizen Lab.

While this may appear to be a mere coincidence, it's worth noting that the Citizen Lab report was dated September 7, and Google was alerted to the Chrome zero-day on September 6, both by the Apple Security Engineering and Architecture team and Citizen Lab.

We have reached out to Apple, Citizen Lab, and Google for statements and will update this article if they provide any insights.

In a September 14 update, developer and blogger Alex Ivanovs disclosed that not only web browsers but also any software utilizing the libwebp library is vulnerable to this exploit. This includes Electron-based applications like 1Password and Signal. The 1Password for Mac application has already been updated to version 8.10.15 to patch CVE-2023-4863, and Signal Desktop now incorporates the patched Electron v25.

Ivanovs identified the root of the issue in the BuildHuffman Table function, introduced in 2014.

Several other web browsers have also been updated to address the WebP vulnerability:

Brave has been updated to version 116.0.5845.188.

Edge has been updated to version 116.0.1938.81 (116.1938.79 for iOS).

Firefox has been updated to version 117.0.1.

Opera has been updated to version 102.0.4880.46.

Vivaldi has been updated to version 6.2.3105.47.

While there is no confirmed connection between the WebP vulnerability and the BLASTPASS exploit chain, which involves two zero-days capable of infecting iPhones with Pegasus spyware, Apple has taken additional steps to enhance security. They've released security updates for earlier versions of iOS, iPadOS, macOS Monterey, and macOS Big Sur. This means that even older iPhones like the iPhone 6 and 7, which are no longer supported by iOS 15, are now protected.

Meanwhile, Google has stated that Chrome updates to version 116.0.5845.187 for Mac and Linux, and 116.0.5845.187/188 for Windows, will be rolled out in the coming days. Google has also acknowledged the existence of an exploit for CVE-2023-4863 in the wild. Given the potential link between the BLASTPASS spyware campaign and this emergency Chrome security update, it is strongly advised that all Chrome users update their browsers as soon as possible. While security updates are typically automatic, it's wise to manually check your device to ensure that the fix has been not only downloaded but also activated. You can initiate the update check process by navigating to the Help|About option. After a security update has been downloaded and installed, remember to restart your browser to activate protection against this zero-day exploit.

Though it remains uncertain whether other Chromium-powered browsers like Brave, Edge, Opera, and Vivaldi are affected by this vulnerability, it's a prudent practice to check for security updates in these browsers as well.