The WebP 0day

Introduction 🔗Once again compression algorithms are showing us that they are ruling the internet. My initial encounter with compression algorithms was in the year 2007, while reversing the Windows hibernation file to reimplement the now well-known Microsoft LZXpress which I discovered later was used in most Microsoft products until today. This journey continues today, with the scrutiny of the vulnerability CVE-2023-4863 located within the open-source Libwebp library, affecting Chromium-based browsers such as such Mozilla, Chrome, and Edge but also messaging applications such as iMessage.

Introduction 🔗Once again compression algorithms are showing us that they are ruling the internet. My initial encounter with compression algorithms was in the year 2007, while reversing the Windows hibernation file to reimplement the now well-known Microsoft LZXpress which I discovered later was used in most Microsoft products until today. This journey continues today, with the scrutiny of the vulnerability CVE-2023-4863 located within the open-source Libwebp library, affecting Chromium-based browsers such as such Mozilla, Chrome, and Edge but also messaging applications such as iMessage.

Hacked by an image? How could that be possible? This is the story of how a seemingly innocuous image format, WebP, was discovered to have a critical vulnerability that could be exploited to execute arbitrary code on a victim's machine.

A significant vulnerability in the WebP Codec has been unearthed, prompting major browser vendors, including Google and Mozilla, to expedite the release of

Rust and Node aren't bad for encouraging dependency use -- your favorite language's tools just suck.

Okay, if you’re reading this, you probably know what fuzzing is. As an incredibly reductive summary: fuzzing is an automated, random testing process which tries to explore the state space (e.g., different interpretations of the input or behaviour) of a program under test (PUT; sometimes also SUT, DUT, etc.). Fuzzing is often celebrated as one of the most effective ways to find bugs in programs due to its inherently random nature, which defies human expectation or bias1. The strategy has found countless security-critical bugs (think tens or hundreds of thousands) over its 30-odd-years of existence, and yet faces regular suspicion from industry and academia alike. Mostly. Fuzzers can be overfit to certain applications, intentionally or not. ↩

I’m a little late (one whole month passed in a blink of an eye!). Let’s catch up.

The personal website of Dan Cătălin Burzo.

Homepage for Addison Crump