Image default

Risk level 10: Critical WebP security hole affects lots of software

VirusImage: solarseven/

Google has given an already-known security vulnerability a new CVE ID with the highest severity level. The reason for this is that the vulnerability, originally classified as a Chrome bug, affects significantly more applications, because it’s a WebP vulnerability instead.

The WebP image file format is particularly popular on the web because it offers a good balance between storage size and quality. But the vulnerability allows attackers to use a specially crafted WebP image to create a heap buffer overflow and execute malicious code. To do this, the image must be opened in an application; in browsers, simply calling up a website is sufficient. The code executed in the background can then install malware, for example.

Numerous known applications affected

The vulnerability, which was discovered by Apple’s Security Engineering and Architecture (SEAR) and the Citizen Lab at the University of Toronto’s Munk School, was initially wrongly classified as a pure Chrome bug; common web browsers were quickly protected with a security update. But as it has now turned out, significantly more applications are also affected.

The vulnerability is related to the open Libwebp library, which is used by numerous programs. Thus, applications such as Gimp, Libreoffice, Telegram, 1Password and many others could also become targets of an attack. As a result, the CVSS, a standardized score for evaluating security vulnerabilities, has been raised to the highest level 10.0.

How to protect yourself

As a user, you basically have only one way to protect yourself from this vulnerability: Make sure you have the latest patches installed. Many affected applications have already released security updates that close the security hole, including browsers and Libreoffice.

Otherwise, what should always apply when surfing the net still applies here. Do not download files from unknown sources, and make sure that links in emails only lead to trusted sites.

Further reading: 5 easy tasks that supercharge your security

This article was translated from German to English and originally appeared on

Kris schreibt besonders gerne über Gaming und Hardware, fühlt sich aber in fast jedem Technik-Thema zuhause.

Recent stories by Kris Wallburg:

Two gamers got jobs with Amazon just to steal the new Zelda

Related posts

MIT's new 5-atom quantum computer could make today's encryption obsolete


Express ideas visually with a 2yr subscription to Markup Hero, now 60% off


Night Eye was made to protect your vision while you browse


Leave a Comment