Overview
On Wednesday September 13, 2023, the WebP project released version 1.3.2 of libwebp containing a fix for a critical severity vulnerability. The vulnerability has been exploited in some industry applications but we have no indication that any Sophos products are affected at this point.
Libwebp is a codec library for handling WebP media streams and is, among others, integrated in the Chrome browser and all its derivatives. As a result, a large number of industry applications are potentially affected by this vulnerability.
Patches for libwebp
The fix is included in the following releases:
libwebp version 1.3.2: https://github.com/webmproject/libwebp/releases/tag/v1.3.2
List of other affected vulnerabilities: https://gist.github.com/mttaggart/02ed50c03c8283f4c343c3032dd2e7ec
What Sophos products are affected?
Sophos is reviewing and patching all affected applications and services as part of its incident response process.
Product or Service | Status | Description |
|---|---|---|
Sophos Cloud Optix | Not affected | Component not present |
SG UTM (all versions) | Not affected | Component not present |
Sophos Central | Not affected | Vulnerable code not in execute path |
Sophos Endpoint protection (Windows) | Not affected | Component not present |
Sophos Endpoint protection (macOS) | Not affected | Component not present |
Sophos Endpoint protection (Linux) | Not affected | Vulnerable code not in execute path |
Sophos Email | Not affected | Component not present |
Sophos Firewall (all versions) | Not affected | Component not present |
SophosConnect client | Not affected | Component not present |
Sophos Home (Windows) | Not affected | Component not present |
Sophos Home (macOS) | Not affected | Component not present |
Sophos Mobile | Not affected | Component not present |
Sophos Mobile EAS Proxy | Not affected | Component not present |
Sophos Mobile Control app (iOS + Android) | Not affected | Component not present |
Sophos Intercept X for Mobile app (iOS + Android) | Not affected | Component not present |
Sophos Secure Email app (iOS + Android) | Not affected | Component not present |
Sophos Secure Workspace app (iOS + Android) | Not affected | Component not present |
Sophos Chrome Security | Not affected | Component not present |
Sophos PhishThreat | Not affected | Component not present |
Sophos RED | Not affected | Component not present |
Sophos AP/APX | Not affected | Component not present |
Sophos Wireless | Not affected | Component not present |
Sophos ZTNA | Not affected | Component not present |
Sophos Switch | Not affected | Component not present |
Sophos Central Managed APX | Not affected | Component not present |
SophosLabs Intelix | Not affected | Component not present |
Sophos SASI (AntiSpam) | Not affected | Component not present |
SAV DI | Not affected | Component not present |
SUSI | Not affected | Component not present |
AV Engine (all platforms) | Not affected | Component not present |