Tech Security Bytes

Backhistory

In the mythical period of the 1990s, Microsoft was deemed the ‘evil empire’ that one could morally disdain, while ‘underdog’ tech companies like Google, heralding slogans like ‘Do No Evil,’ were celebrated as the heroes of the common user

But oh the times, they are a’changing. Or more accurately, have already changed.

Over the last two decades, Microsoft has reinvented itself, particularly under the leadership of Satya Nadella since 2014. Once a laughingstock, it has re-emerged as a tech giant, emphasizing enterprise enablement, privacy, and security. One need look no further than the latest Defender versions to see evidence of this.

Google meanwhile has moved from “scrappy search underdog” to a company that raises concerns regarding its data collection and usage – comments by former CEO Eric Schmidt at the 2010 – 2011 Washington ideas forum, hosted by the Atlantic still resonate with today’s Google. “With your permission you give us more information about you, about your friends, and we can improve the quality of our searches,” … “We don’t need you to type at all. We know where you are. We know where you’ve been. We can more or less [k]now what you’re thinking about.” Permission and transparency have been common conversation topics around Google and its practices, and the company has been under fire for privacy issues, implicit data usage, and potential antitrust abuse.

Much like Alphabet Inc. asking us to just “Go along with” the default to google services on most smartphones, tablets, etc, this week they tried to have us “just go along with” a quiet re-assessment of a critical vulnerability.

So what’s the vulnerability?

The identified vulnerability is a flaw in Google’s libwebp library, potentially leading to a heap overflow and subsequent remote code execution. Initially reported as specific to Chrome, it was later revealed that the issue extends to numerous apps and websites using this library, and the derivative Electron library, for example Microsoft Teams, thereby exposing many users to potential risks, and bumping it up to the maximum possible CVSS score – 10.00.

As Gerlad Auger recently summarized on a podcast, going to a 10.0 CVSS means that not only is the impact BAD and readily actionable, but that the breadth is large and the vuln is actively being exploited in the wild.

Google’s understated update on this critical vulnerability is concerning and contrasts with the expectation of transparency from major tech companies.

Practical Steps for End Users

As always patching apps promptly is key. Google, Apple and others have been releasing patches rapidly in the last few days to address this vulnerability, covering operating systems, browsers, and other core applications.

Another valuable resource here is a list compiled by threat hunter Michael Taggart of applications based on Electron, which can help you find other impacted scope. (Credit to helpnetsecurity for finding that one). See also an excellent list ArsTechnica compiled (bottom of article) of potentially impacted apps, OSes, etc.

Let’s stay vigilant and hope this marks the end of Google’s 0-day vulnerabilities for the time being. Fingers crossed, although the track record in 2023 gives room for skepticism.