Joe Apps Technology Support

CVE-2023-5129

Important: Cybersecurity Alert!

Alert posting: 29 Sept, 2023.

We wanted to take the time to notify you about a critical cybersecurity alert. This alert is so serious that Google has stamped it with their highest severity rating: a solid 10/10.

In layman’s terms this newly discovered vulnerability (officially designated CVE-2023-5129) enables bad actors to execute unauthorized commands or access sensitive data by using maliciously crafted pages.

But the bigger issue is that this vulnerability has been found in a software library known as libwebp—and libwebp is used by all kinds of software: 1Password, Signal, Safari, Mozilla Firefox, Microsoft Edge, Opera, native Android web browsers, and more.

It is urgent that you identify and remediate this vulnerability wherever it exists in your environment. Please contact us right away if you have any questions about this issue and/or how you can most effectively protect your business from the significant and immediate danger it presents to you and your customers. We welcome the opportunity to assess your current exposure and remediate any vulnerabilities that may be putting you at risk. 

Google has given it the max severity score possible and it could be worse than the log4j exploit many of you remember from 18 months ago. 

On one list of potentially affected vendors, there’s a bunch of common tools used by MSPs (& clients), including:

  • 1Password
  • Bitwarden
  • CrashPlan
  • Discord
  • Gimp
  • GitHub Desktop
  • Libre Office
  • Logitech Options+
  • Microsoft Teams
  • Notion
  • Shift
  • Signal
  • Slack
  • Skype
  • Telegram
  • Visual Studio Code
  • Yammer
  • And no doubt many more.

Things You Can do to Protect Yourself:

We strongly recommend you complete any outstanding updates you have for your apps, as they could possibly contain patches to this vulnerability. 
You can find the links to update guides for some apps you may have below. 

Apple for iPhone and Mac; Software and Application updates: 

Samsung for Play Store; Software and Application updates:

Skype:

Discord:

1Password:
 
Most web browsers are also vulnerable, and while some have already released patches, please note that not all browsers have released patches. 
 The list of the browsers that have released patches to the CVE vulnerability are the following:
  •  Google Chrome
  • Mozilla
  • Brave Browser
  • Microsoft Edge
  • Tor Browser
  • Opera

Video explanation and Articles on the CVE Vulnerability

CVE-2023-5129 Vulnerability Description, made by Simplex-IT:

Helpful Articles:

https://www.bleepingcomputer.com/news/security/google-assigns-new-maximum-rated-cve-to-libwebp-bug-exploited-in-attacks/

https://www.ninjaone.com/blog/webp-0-day-how-to-identify-vulnerable-apps-cve-2023-5129/

https://www.tenable.com/blog/cve-2023-41064-cve-2023-4863-cve-2023-5129-faq-imageio-webp-zero-days

 

If this alert raises concerns for your business, or you feel as if you have already been affected by the CVE vulnerability, feel free to contact us to schedule a security assessment on your environment.

Dedicated to your cybersafety,

The Joe Apps Management Team

Skip to content