 Tom here for Lauren systems. It is September 27th of 2023 and there's been a lot of browser updates over the last few weeks This is because we know there was a vulnerability We just didn't have all the details in the webp codec Now the details have emerged and I'm gonna be joined by Jason Slagle because we want to talk about where this is besides the browser And it turns out it's in a lot of places So finding this is gonna be an ongoing investigation over the next few weeks to what software might have this embedded many companies And this comes bound to software bill of materials not being readily available with many of these companies Figuring out whether or not they have a dependency on it and whether or not they have it implemented in a way that can be Exploited is something that's gonna be coming out over time So I'm gonna have a forum post down below that I linked to that'll be dumping links in Actively even after this video goes up to try and keep people up to date with it And of course we're running around updating clients, but let's dive into the details and talk about just how bad this is And yeah, it's bad All right, I am joined by Jason Slagle here. How you doing Jason? Got woken up with some fun stuff going on this morning. So I'm doing okay I'm feeling better than yesterday and ready to go. Yeah, I'm glad like the brain fog cleared just in time for a Will just call it log4j ish event because log4j is the first one. So we have to bring it up This is just as critical. It's not necessarily a server vulnerability. It's a little worse than that CVE 2023 4863, I mean, it can be a web server vulnerability. There's a lot of frameworks. You mentioned Flutter. You mentioned a few others Basically anything that's using the webp. This is CV. This is a 10 out of 10 like this is Full code execution and it starts with Apple. I think it was called was it blast pass? Yeah blast pass Yeah You're really advanced red actor This is the cool stuff and good news is doesn't usually happen to our clients But it's really cool to read about someone found a really clever hack But as they unraveled it of how they were chaining all these attacks together turned out to be a flaw That the one that impacts the greater community is this flaw in webp It's been hanging out for a long time. So who knows how long someone has known about this But now the world knows about it because it's being patched and it's in more things than you realize You might go well, you know cool. I just my web browser and updated it so I'm safe But it's way more complicated than that. That's what we're here to talk about. Yeah I mean, so to give you an idea this was originally released by Google it came out two weeks ago I believe two weeks ago But the details we didn't we didn't know what we knew it was critical to update So we always update but the why giving people two weeks to kind of catch up before the world gets to learn About just how bad this is and that's that's what dropped on us That's what we're sharing with all of you. Yeah, and if you look at the original the CVE 2023 4863 It does say it's webp, right, but it says in Google Chrome So, you know two weeks ago most of the browser is updated, right? So most of the big huge Huge things you would expect. However, I mean even Firefox, right, which does not use they use their own rendering engine They're not chromium on the back end, but they still use live webp, right? So they were vulnerable and all of those browsers two weeks ago released updates, right? So now today fast-forward to today The CVE comes out on webp itself and now people are starting to go. Oh, this is yeah A lot more prevalent than you think it is pretty much all the communication apps we use every single one of them is a flutter or electron Yeah, flutter electron and the if you're not familiar with electron You probably use it didn't realize anything this is a modern way they started programming things So instead of actually taking and signals an example and signal was up to date on this Use signals just wrapping a browser in what looks like a application window that way you can build a web browser-based thing So you can use slack in a browser or you can use what looks like the slack app, which is really just the browser Yeah, wrapped into an application So it looks like a standalone app, but it's technically running chromium on the back end and all the sport libraries And this is a real challenge because you don't necessarily know what version you're running of there You have to take it apart. It doesn't easily tell you its secrets of which version of the webp or more specifically Yeah, VP 8 codec that is in there. Yeah, it's VP 8 1 or v8 1. Yeah Yeah, the real nuance to it and Jason spent some time That's where we're doing a video now really taking it apart to make sure we work with a lot of other people in the Security community and we're all trying to make sure we fully understand it because we have to get this out To our clients to make sure not we browser updates. Sure. That's easy That's been taking care of two weeks ago. That that's not the nitty-gritty The nitty-gritty is what are those other applications that you might be running that our clients might be running? For example, Tom edits this video. This video is edited in a vulnerable version of DaVinci Resolved or is it vulnerable? Definitely if they used webp Unfortunately, I can't use webp in the Linux version So you couldn't send me a webp file to execute on my DaVinci Resolve. So don't worry. I think I'm safe editing Yeah, it's but there's a lot of that right and that that begs one of the questions is that you know, I went through Qt is the underlying library that DaVinci uses and a bunch of other applications of Funny note like the I play board of Warcraft occasionally So I have the Blizzard app on this PC. I'm using at home and it's uses a vulnerable version of webp I don't know if they actually use the SS on the back end, but there are a ton of things the Corsair IQ thing that makes all the funny RGB go on my keyboard here That's bundles of vulnerable version of it stream deck of bundles of vulnerable version of it and it may not be the case where you have to Display an image it could be the case of many of these things where you just open a directory with Images in it and it will render a thumbnail, right? Like and I don't know it's gonna require a lot of testing from a lot of researchers to determine What is and is not vulnerable here? I would assume at this point I would assume anything that bundles it is Potentially vulnerable because there may be a non obvious code path you can take to get things to execute things, right? So it may not be the case of it's vulnerable to the point of drive-by But it may be the case that a threat actor gets on your system and is able to somehow abuse one of these tools That's running as System right like the Corsair library thing they may be able to abuse that to do privilege privilege escalation So I think the first round of this will be a bunch of drive-by stuff You see and then you'll start seeing more clever uses of the vulnerability to start abusing things like Services and stuff that bundle it to escalate where you're gonna be more likely to find this is gonna be in your web applications Companies that run web applications that let you upload video That is where the huge target is because if they let you upload any type of web p video and they have not updated whatever the underlying rendering is you can upload a Modified version of this video file and then get execution privileges out there. Yeah, I'm sure large scale companies I hope like YouTube and LinkedIn anywhere you can upload different types of video Probably have this patched right away, but it's all it's gonna be downhill quick from all the smaller ones that may not do this So it's not necessarily like a firewall probably you're not gonna find this in your firewalls. I at least I hope you Well, unfortunately we have to break some bad news people Windows 7 probably not getting the fix for this Yeah, this is probably they'd nail in the Windows 7 coffin from what I can tell so so edge is certainly vulnerable And you know, this goes on all the way back to version 0.50 of web or webp Which is very old and so the last version of chrome or edge shipped for Windows 7 based on quick research this morning And maybe they they do something they said they weren't gonna do it or at least a new one But the last version at least was 109 and you got to get up to like 116 I believed to not be vulnerable to this Yep What I'm gonna do with this video here because there we are still examining MSP tools the tools we use to defend our clients and seeing What may or may not contain this is gonna be a forum post you're gonna find a forum post in the description down below I will also link because we are pretty confident our friends at huntress will also have their own rapid response Adding cumulatively all the links for this because I I think this is the story today The story is gonna keep expanding as we find things on there And I'll keep the links up to date so you can have a lot more knowledge on this as as you know We're compiling it internally. I'm just gonna dump it all externally as well for anyone who's interested in this and like it's described to Stay up with that check out the forum link. You don't have to sign up You can just view all the forums for free and so I'll try to a big link dump in there including that research previously on each two six four fuzzing because I Feel like there's some relationship here. I'm just speculating Yeah All right, thanks everyone joining us. So we're gonna get back to passion systems. Yep. See ya. Cool