Multiple reputable sources, including the National Institute of Standards and Technology, recently announced a zero-day code vulnerability for software using a library called “WebP” that can be exploited to execute arbitrary code. An initial list of software that uses this code has been released with the most common applications being Google Chrome, Mozilla Firefox and Microsoft Edge. Since this vulnerability impacts everybody, we will be pushing an out-of-band update for Chrome, Firefox and Edge. This update will not restart any machines or impact any users.
To receive this update, computers must be left on overnight. Chrome, Firefox, and Edge must be closed or restarted during the next use. Nothing further is required to close the vulnerability beyond the patch that has been released by each vendor. Machines that are not turned on and browsers that are not restarted will not receive the patch until they are turned on and the browsers are restarted.
A full list of additional impacted software as of today is available below. If your business has identified that any of these applications are in use, please engage Innovative for assistance. We will be happy to investigate the applications for patches and/or workarounds to close the vulnerability.
Please contact Innovative at 1-800-541-0450 or [email protected] if your firm needs assistance with this vulnerability.
Impacted Applications
- Brave Browser
- Tor Browser
- Opera Browser
- Vivaldi Browser
- Bitwarden Client
- LibreOffice
- Signal-Desktop
- Apple Software
- Ubuntu
- Debian
- SUSE
- Electron
- Xplan
