- Disable User
- Posts
- 🎥 Critical alert CVE-2023–4863: the unwanted sequel
🎥 Critical alert CVE-2023–4863: the unwanted sequel
it's critical-vulnerability-o-clock
Disable User
October 02, 2023
Presented by
Hi and welcome to another Security weekly. Where we laugh, we cry and share the latest and greatest in security and tech news.
In this week's edition:
🎥 Critical alert CVE-2023–4863: the unwanted sequel
đź“° Bits & Bytes
âť“ Disable User explains: CVSS
🔥 meme of the week
Reading time: 02:41
Critical alert CVE-2023–4863: the unwanted sequel
Just when we thought we were in the clear, along comes CVE-2023–4863, scoring a perfect 10 on the CVSS doom scale.
It's like the villain in a horror movie that just won't stay down.
The juice
Google has unearthed a pesky flaw in the libwebp image library, the technology behind rendering WebP format images.
For the uninitiated, WebP is Google's image format that outshines JPEG and PNG in the compression and quality arena.
Making it a widespread library, found in many apps.
Our digital intruder, initially going as CVE-2023–5129 but now going by CVE-2023–4863, exploits a flaw in the Huffman coding algorithm.
If you’re anything like me, a sane human being, you have no idea what the Huffman coding algorithm actually is.
Luckily, I’m curious. Heck, that’s why most of you signed up for this newsletter. Because the Disable User finds out for his peeps.
So, here’s a simplified explanation of the Huffman coding algorithm:
Counting letters - The algo first looks at the text and counts how often each letter shows up.
Making pairs - Then it pairs up the least common letters and keep pairing the next least common until all letters are paired up.
Building a tree - From these pairs, it creates a tree where each letter is a branch and common letters are closer to the base.
Creating shortcuts - Make a unique shortcut for each letter based on its place in the tree. Common letters get shorter shortcuts.
This way, frequently occurring characters take up less space, leading to compressed data.
Let’s try it out ourselves, with the word “BEE”:
Count letters - B=1, E=2
Make pairs - Pair up B and E to create a node with a total count of 3.
Build a tree
[3]/ \
[B,1] [E,2]
Create shortcuts - Assign 0 to the left branch and 1 to the right branch.
[3]
/ \
0 [B,1] 1[E,2]
Now, B is represented by 0 and E is represented by 1. So, the word "BEE" would be compressed as 011.
I don’t know about you, but I feel really smart right now.
Anyway, lot’s of software is affected (I try to keep an up-to-date list on my LinkedIn).
Make sure to update as fast as you can.
This week is sponsored by
Biometric Authentication: No Cost Proof of Concept
The world’s fastest and most secure facial recognition and liveness detection vendor is offering a Zero Cost, Zero Commitment, Full Featured Proof of Concept.
Over 50 hours of engineering goes into customization of your mobile or web application. Live Chat, email, and telephone 24/7 support after implementation. Spaces are Limited.
Compatible with IOS and Android, RESTful API’s, completely integrated into your existing operations.
Customer Onboarding | Liveness Detection | Face Recognition (1:1 & 1:N) | Age Verification | Iris Detection | Fraud Prevention against 60+ Spoofing Attacks
Speed to value in replacing manual and outdated verification methods with 3D liveness detection and AI driven face recognition with unparalleled accuracy in under 1 second.
Apply Now for your own full featured Proof-of-Concept.
Patent pending, ibeta and NIST certified compliant with the highest levels of data protection. Control your data in your own data centers.
Bits & Bytes
Mozilla Rushes to Fix Critical Vulnerability in Firefox and Thunderbird - this is closely related to the WebP vulnerability, but I’m having trouble finding decent information apart from this.
Microsoft Bing Chat spotted pushing malware via bad ads - Well, that was fun while it lasted.
Critical vulnerabilities in Exim threaten over 250k email servers worldwide - Raise your hand if you’ve never heard about Exim before this article. /raiseshand
Cloudflare DDoS protections ironically bypassed using Cloudflare - up until now I thought this was something only Microsoft would do, but hey, turns out I thought wrong.
Microsoft breach led to theft of 60,000 US State Dept emails - speaking of which: remember that MS breach that hit the US Gov pretty hard?
Microsoft now rolling out AI-powered Paint Cocreator to Insiders - my prayers have been answered. Are you guys & gals ready for even more awesome memes?
CVSS
CVSS, or Common Vulnerability Scoring System, is like the report card for software vulnerabilities, scoring them on a scale of 0 to 10 based on their severity and potential impact.
Imagine if your coffee maker had a mind of its own and decided to brew espresso shots at midnight.
A CVSS score would tell you how bad its behavior is on a scale from "mildly annoying" to "caffeine-induced insomnia."
Meme of the week
