In case you missed the news, there's a critical 0day in WebP (a heap buffer overflow in the libwepb library) floating about, which was initially issued as
  • @Tibert@compuverse.uk
    331 year ago

    The bad news is that Android is still likely affected. Similar to Apple’s ImageIO, Android has a facility called the BitmapFactory that handles image decoding, and of course libwebp is supported. As of today, Android hasn’t released a security bulletin that includes a fix for CVE-2023-4863 – although the fix has been merged into AOSP. To put this in context: if this bug does affect Android, then it could potentially be turned into a remote exploit for apps like Signal and WhatsApp. I’d expect it to be fixed in the October bulletin.

    So a no-click device hack?

    • @Radiant_sir_radiant@beehaw.org
      81 year ago

      If I understand the article right, it’s more of a no-click hack for any single app that the attacker cat get to display an image. Stepping out of the app’s sandbox would need another exploit.
      Still bad enough though.

    • @Lojcs@lemm.ee
      51 year ago

      Not a device hack, I don’t think it could escalate but it could cause damage otherwise.