There is still no confirmation that the WebP vulnerability is connected to the BLASTPASS exploit chain comprising two zero-days that could lead to iPhones getting infected by Pegasus spyware. Other web browsers that have been updated to patch the zero-day WebP vulnerability include:Įdge, which has been updated to 1.81 (116.1938.79 for iOS)įirefox, which has been updated to 117.0.1
Ivanovs explains that the problem sits with the BuildHuffman Table function, introduced in 2014. I have approached Apple, Citizen Lab, and Google for a statement and will update this article if any is forthcoming.Ġ9/14 update: Developer and blogger Alex Ivanovs has confirmed that, as well as web browsers, “any software that uses the libwebp library” is affected by this vulnerability, including Electron-based applications such as 1Password and Signal.ġPassword applications for Mac, Windows and Linux have been updated to patch against CVE-2023-4863, and Signal Desktop has been updated to include the patched Electron v25.