Image-related bug: Edge, other browsers, apps, under severe threat

OnMSFT Staff OnMSFT Staff
2 min read

Hackers are using WebP images to hack into people’s systems. All the major companies have agreed and released security patches for the browsers. NIST acknowledges the threat.

What is WebP? WebP is a contemporary image format offering advanced compression capabilities, both lossless and lossy, for web-based images. Its compatibility extends across all leading web browsers, encompassing Chrome, Firefox, Edge, and Safari.

All the major companies have responded to the situation:

  • Google responded swiftly by releasing updates for Google Chrome on various platforms.
  • Mozilla also planned to release updates for Firefox.
  • Apple indicated that it had pushed an update for this vulnerability.
  • Other browsers like Brave and Microsoft Edge were mentioned as having released updates.
  • Electron-based applications, including Signal and 1Password for Mac, were considered vulnerable until they updated their libwebp versions.
  • Various Linux platforms, such as Ubuntu, Debian, and SUSE, were actively updating their libwebp versions.

It’s not just web browsers. Other programs that use the same technology can also have this problem. Some of these programs are Signal, 1Password, and many more. They are also fixing the issue.

The Apple Security Engineering and Architecture (SEAR) team reported the vulnerability in collaboration with The Citizen Lab at The University of Toronto’s Munk School on September 6, 2023.

Google confirmed the existence of an exploit for CVE-2023-4863 in the wild, underscoring the urgency of addressing the issue.

The affected software versions that contain the necessary fixes are as follows:

Google:

  • Chrome version 116.0.5846.187 (for Mac and Linux)
  • Chrome version 116.0.5845.187/.188 (for Windows)

Mozilla:

  • Firefox 117.0.1
  • Firefox ESR 102.15.1
  • Firefox ESR 115.2.1
  • Thunderbird 102.15.1
  • Thunderbird 115.2.2

Microsoft:

  • Edge version 116.0.1938.81

Brave:

  • Brave Browser version 1.57.64

Users are urged to immediately update their browsers and other affected apps. Suppose users are unable to update their software immediately. In that case, they can mitigate the risk of exploitation by avoiding untrusted websites and not opening attachments from unknown senders.

via StackDiary, TheVerge

 

Share this article:

Related Articles

Chrome and Gemini icons representing Gemini Live voice assistant integration in Chrome

Chrome tests Gemini Live voice assistant in a floating overlay panel

March 14, 2026

Chrome’s Organizer feature may sync Gemini and AI conversations across devices

March 14, 2026

After Chrome, Edge tests launching the browser automatically when you sign into Windows

March 13, 2026

Leave a Comment

Your email address will not be published. Required fields are marked *