Major Security Alert: WebP Vulnerability

Major Security Alert: WebP Vulnerability

This one is big.

Google gave this vulnerability (CVE-2023-5129) a base score of 10.0, which is as bad as it gets. It’s very serious. And we couldn’t agree more.

I’ll break it down with an example.

If you visit a website … that’s all it takes for your computer to be completely infected. It’s THAT bad. It’s not just websites. Applications like Skype, Teams, 1Password, Slack, Discord, DaVinci… and dozens more are all vulnerable.

What is WebP??? It is a popular image format, like JPG, TIFF, or PNG. It’s predominantly used on the web to speed things up, but it’s not limited to just websites because it opens in many applications on your computer.

Attackers are already jumping on this. All they have to do is hide malicious code within a compatible graphic or picture on your computer. And that’s it. WebP is everywhere… even the banner image on this blog is a (clean) WebP file.

What can you do? Fortunately, patches are coming out slowly. We’re already pushing these out to our clients. But you can start by updating your browser (Chrome, Firefox, Edge, etc..) as we know they have already released patches. We’re still getting a list of vulnerable programs, but here’s a confirmed group of programs you should also update (not all have patches yet).

  • 1Password
  • balenaEtcher
  • Basecamp 3
  • Beaker
  • Bitwarden
  • CrashPlan
  • Cryptocat
  • DaVinci Resolve
  • Discord
  • Eclipse Theia
  • FreeTube
  • GitHub Desktop
  • GitKraken
  • Joplin
  • Keybase
  • Lbry
  • Light Table
  • Logitech Options +
  • LosslessCut
  • Mattermost
  • Microsoft Teams
  • MongoDB Compass
  • Mullvad
  • Notion
  • Obsidian
  • QQ (for macOS)
  • Quasar Framework
  • Shift
  • Signal
  • Skype
  • Slack
  • Symphony Chat
  • Tabby
  • Termius
  • TIDAL
  • Twitch
  • Visual Studio Code
  • WebTorrent
  • Wire
  • Yammer

I know. It’s a lot. IT pros at the very least, can search their networks for devices running outdated versions of apps that have been patched. If your office needs help with this task, get in touch.

More information: