Time Stamps
00:00 - CVE 2023 4863 Critical libwebp Vulnerability Under Active Exploitation
01:37 - Actual Attack Surface
03:00 - Browser Version Updates
05:00 - QT And The Many Application That Embed Webp
07:17 - How Bad Is Windows 7?
NinjaOne did a nice write up listing the vulnerable applications but I want to make something clear: While many applications may contain the libraries because they were part of a larger bundle of codes that came with the frame work on which the application was built, if they do not have a way to process or interact with WebP files then there is not a path that would lead to exploitation.
Uggg! I haven’t seen an emergency Microsoft patch, have they delt with this yet? Or are we going to need to wait until exploit Wednesday (day after patch Tuesday) which is still two weeks away.
Any idea if Adobe checked and hopefully fixed this in Creative Cloud? If CC wasn’t vulnerable I’d be incredibly surprised. As you mentioned, I think any old version of Resolve Suite for Windows and Mac are going to be at risk. (edit) in May of 2023 Adobe released webP of Photoshop, and VP8/VP9 codecs have been in Premiere for a while. Not on the list from Ninja 1, but that list will be an every increasing list until everyone is patched.
https://twitter.com/TomLawrenceTech
Lawrence Systems's Amazon Page
https://www.patreon.com/lawrencesystems