this post was submitted on 29 Sep 2023
395 points (95.0% liked)

Technology

58070 readers
2799 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
L4s@lemmy.world
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
395
UPDATE YOUR BROWSERS IMMEDIATELY. RCE VULNERABILITY DISCOVERED (nvd.nist.gov)
submitted 11 months ago by VitabytesDev@feddit.nl to c/technology@lemmy.world
93 comments fedilink hide all child comments
 

Any Chromium and Firefox browser prior to version 116 will be vulnerable to this, update your browsers.

top 50 comments
sorted by: hot top controversial new old
[–] Buelldozer@lemmy.today 121 points 11 months ago (2 children)

This is way way wider than just browsers. Anything that can display webp images is vulnerable and that includes things like MS Teams and Twitch.

[–] Lantern@lemmy.world 66 points 11 months ago (6 children)

Further solidifying webp as the worst image format.

[–] chameleon@kbin.social 25 points 11 months ago* (last edited 11 months ago)

The current advisory is in webm (VP8 specifically). The webp one was 2 weeks ago. ...yeah, not a good time for web browsers lately...

(edit: noticed OP actually did link the webp one, I thought it'd be CVE-2023-5217 because that's being linked elsewhere)

[–] Lucidlethargy@sh.itjust.works 15 points 11 months ago* (last edited 11 months ago) (3 children)

WebP is currently the smallest and highest quality format accepted by browsers today. I have no idea why you think so negatively of it, but it's irreplaceable until something better is widely adopted, and thus viable.

It's the best format for websites as of this exact moment.

[–] mlg@lemmy.world 18 points 11 months ago

Highest compression, not highest quality (arguably).

Also heavy compression which takes more resources to display.

Also poor compatibility outside browsers.

afaik it's basically still just VP8 in image format with added metadata, and google refuses to support alternatives because they like to own the browser market.

I think there was gonna be a webp and webm 2, but it never happened.

[–] CriticalMiss@lemmy.world 7 points 11 months ago

The only reason that’s the case is because Google axed the JPEGXL implementation

[–] Espi@lemmy.world 5 points 11 months ago

AVIF is supported everywhere and it's fantastic

[–] jackpot@lemmy.ml 12 points 11 months ago (4 children)

whats wrong with it

[–] CmdrShepard@lemmy.one 30 points 11 months ago (2 children)

Try linking one and sending it to someone else. I tried it and the recipient died two days later.

load more comments (1 replies)
[–] gamer@lemm.ee 23 points 11 months ago (3 children)

There's some politics involved. Basically, everyone is rallying behind JPEGXL instead of WebP, but Google refuses to support JPEGXL in Chrome. The reasoning they gave is weak, so it's assumed that they're just trying to force the format they invented on everyone because they can.

IIRC, performance of the two formats is similar.

[–] jackpot@lemmy.ml 4 points 11 months ago (1 children)

why does everyone like jpegxl and why does google care if it's foss

[–] GamingChairModel@lemmy.world 13 points 11 months ago (3 children)

JPEG XL, like AVIF and HEIC and WebP, is basically a next generation format that supports much higher quality at lower file sizes compared to JPEG and PNG.

Among those four formats, JPEG XL is promising because it allows for recompression of JPEG losslessly. That means if you take an image that was already encoded as JPEG (as the vast, vast majority of images are), you can recompress with no additional loss in quality from the conversion. That's something that isn't true of the others.

JPEG XL also has a much higher maximum quality and specific features great for high quality image workflows (like for professional photographers, publishers, and those who need to print images). WebP, AVIF, and HEIC are good for sharing on the web, but the printing and publishing workflow support requires a few more conversions along the way.

I thought this blog post by a cloud image delivery network that played a big role in developing JPEG XL was pretty persuasive, even if they had a direct interest in JPEG XL adoption.

load more comments (3 replies)
load more comments (2 replies)
[–] Lantern@lemmy.world 8 points 11 months ago (3 children)

It’s a format that most major image editors don’t support. Basically, if you wanted to do anything with it, you need to first convert it to a different format. It’s the only format that has this problem.

[–] ipkpjersi@lemmy.ml 5 points 11 months ago (1 children)

That's fair except it's not the only format that has this problem. There's JPEG 2000 and AVIF which have even less image editor support.

load more comments (1 replies)
load more comments (2 replies)
load more comments (1 replies)
load more comments (3 replies)
[–] seaQueue@lemmy.world 4 points 11 months ago

It's the full disclosure of the ImageIO webp vuln from last week, this is the root cause.

[–] shortwavesurfer@monero.town 68 points 11 months ago (1 children)

Well, i think firefox 117 fixed that webp issue so i am on that one.

[–] joyjoy@lemm.ee 21 points 11 months ago (2 children)

Specifically 117.0.1 (117.1 on android)

[–] ForestOrca@kbin.social 16 points 11 months ago* (last edited 11 months ago) (1 children)

Good to go. Always roll with the latest version. 118.0.1

[–] c10l@lemmy.world 13 points 11 months ago (5 children)

Latest is 118.0.1.

load more comments (5 replies)
[–] shortwavesurfer@monero.town 7 points 11 months ago (3 children)

Yep. Fennec F-Droid 117.1.0

load more comments (3 replies)
[–] TylerDurdenJunior@lemmy.ml 58 points 11 months ago

idk. The post content was not in all caps, so I am not really sure about the urgency

[–] bappity@lemmy.world 39 points 11 months ago (3 children)

AGAIN?

[–] seaQueue@lemmy.world 21 points 11 months ago* (last edited 11 months ago) (1 children)

It's last week's big libwebp vulnerability again.

Edit: this underlying vuln is why last week's CVE was such a big deal, anything using webp is at risk including a whole big pile of electron apps that everyone uses.

load more comments (1 replies)
[–] GamingChairModel@lemmy.world 16 points 11 months ago

Sorta. OP just linked the full disclosure of the libwebp vulnerability that made the news 2 weeks ago.

But there's an even more recent vulnerability in libvpx that was announced this week, that is similar in a lot of ways (including severity).

[–] treadful@lemmy.zip 35 points 11 months ago

There's a more recent CVE as well for FF that was patched in 118.0.1: CVE-2023-5217: Heap buffer overflow in libvpx

[–] cheese_greater@lemmy.world 22 points 11 months ago (4 children)

What actual like platforms does this affect and to what extent tho? Like Mac (probably not iOS which is WebKit)?

[–] towerful@programming.dev 22 points 11 months ago (7 children)

I've read elsewhere it's actually a problem with libwebp not just chrome.
Basically, anything that relies on libwebp (ie can play libwebp) is vulnerable.
https://snyk.io/blog/critical-webp-0-day-cve-2023-4863/

load more comments (7 replies)
[–] Phen@lemmy.eco.br 15 points 11 months ago

Discord, slack, MS Teams, Steam, pretty much anything. But most of them have already fixed it so if you let stuff update itself frequently, there's little risk.

[–] Th3D3k0y@lemmy.world 15 points 11 months ago (2 children)

Current Description

Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

load more comments (2 replies)
load more comments (1 replies)
[–] pastermil@sh.itjust.works 22 points 11 months ago (2 children)

I read this as RICE vulnerability and was confused

[–] PeWu@lemmy.ml 5 points 11 months ago (1 children)

Yeah, Linux boys would be mad

[–] Turun@feddit.de 6 points 11 months ago* (last edited 11 months ago)

No, how could I be mad about the truth? We'd download and run any dotfiles if the screenshot looks nice enough.

load more comments (1 replies)
[–] eumesmo@lemmings.world 20 points 11 months ago (2 children)

What about webview-based browsers in android phones?

[–] Bipta@kbin.social 14 points 11 months ago (2 children)

As far as I'm aware this does affect Android and is not currently fixed. It's expected to be fixed in the October security patch.

This is just my memory of reading weeks ago. Someone else may know better.

[–] 9point6@lemmy.world 9 points 11 months ago (1 children)

The Android webview is updated through the play store as of a few years ago

load more comments (1 replies)
load more comments (1 replies)
load more comments (1 replies)
[–] Vub@lemmy.world 10 points 11 months ago (2 children)

Not sure why you only mention Chromium and Firefox in the post text, I can only assume this vulnerability affects ALL browsers. Safari (WebKit based) is, as far as I know, the second most used browser in the world.

load more comments (2 replies)
load more comments
view more: next ›