In case you missed the news, there's a critical 0day in WebP (a heap buffer overflow in the libwepb library) floating about, which was initially issued as
The bad news is that Android is still likely affected. Similar to Apple’s ImageIO, Android has a facility called the BitmapFactory that handles image decoding, and of course libwebp is supported. As of today, Android hasn’t released a security bulletin that includes a fix for CVE-2023-4863 – although the fix has been merged into AOSP. To put this in context: if this bug does affect Android, then it could potentially be turned into a remote exploit for apps like Signal and WhatsApp. I’d expect it to be fixed in the October bulletin.
If I understand the article right, it’s more of a no-click hack for any single app that the attacker cat get to display an image. Stepping out of the app’s sandbox would need another exploit.
Still bad enough though.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !technology@beehaw.org
A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.
Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.
So a no-click device hack?
Not a device hack, I don’t think it could escalate but it could cause damage otherwise.
If I understand the article right, it’s more of a no-click hack for any single app that the attacker cat get to display an image. Stepping out of the app’s sandbox would need another exploit.
Still bad enough though.
deleted by creator