In case you missed the news, there's a critical 0day in WebP (a heap buffer overflow in the libwepb library) floating about, which was initially issued as
The bad news is that Android is still likely affected. Similar to Apple’s ImageIO, Android has a facility called the BitmapFactory that handles image decoding, and of course libwebp is supported. As of today, Android hasn’t released a security bulletin that includes a fix for CVE-2023-4863 – although the fix has been merged into AOSP. To put this in context: if this bug does affect Android, then it could potentially be turned into a remote exploit for apps like Signal and WhatsApp. I’d expect it to be fixed in the October bulletin.
If I understand the article right, it’s more of a no-click hack for any single app that the attacker cat get to display an image. Stepping out of the app’s sandbox would need another exploit.
Still bad enough though.
So a no-click device hack?
If I understand the article right, it’s more of a no-click hack for any single app that the attacker cat get to display an image. Stepping out of the app’s sandbox would need another exploit.
Still bad enough though.
deleted by creator
Not a device hack, I don’t think it could escalate but it could cause damage otherwise.