UPDATE - Oct. 5, 2023 

Pitt IT recommends individuals use the steps below to update their web browsers to help protect against a critical security vulnerability (CVE-2023-4863) involving a widely used image format known as WebP. 

Update Google Chrome

1. On your computer, open Chrome.
2. At the top right, click More.
3. Click Help, then About Google Chrome.
4. Click Update Google Chrome. 
   Important: If this button does not display, you are using the latest version.
5. Click Relaunch.

Update Firefox

1. On your computer, open Firefox.
2. Click the menu button at the right-hand side of the Firefox toolbar, go to Help, and select About Firefox. The About Mozilla Firefox window will open.
3. Firefox will check for updates automatically. If an update is available, it will download.
4. When the download is complete, click Restart to update Firefox.

Update Microsoft Edge

1. On your computer, open Microsoft Edge.
2. At the top right, click Settings and more.
3. Click Help and Feedback, then About Microsoft Edge.
4. If the About page shows Microsoft Edge is up to date, no action is needed. If the About page shows An update is available, then select Download and install to proceed.

Update Brave

1. On your computer, open Brave.
2. Click the menu button at the top right-hand corner.
3. Select About Brave from the list. The app will automatically check for and download the latest available version.
4. When the update is complete, restart Brave.

Update Safari (Mac Users)

1. Go to the Apple menu and select System Settings.
2. Click Software Update.
3. If there are any updates, click Restart Now to install them. You can also click More info to read about the update.
4. Once your macOS has updated, Safari will also be up to date.

ORIGINAL POST - Sept. 28, 2023 

Pitt Information Technology is aware of a zero-day, critical security vulnerability (CVE-2023-4863) involving a widely used image format known as WebP. The WebP vulnerability can be exploited simply by opening a specially crafted image file. A broad range of applications that utilize the WebP image library are affected.  

Pitt IT is investigating the impact of this vulnerability on the University environment and will provide additional updates and guidance on our WebP vulnerability page. In the meantime, technical details about the vulnerability are available from the following resources: 

• Applications affected by WebP vulnerability (GitHub).
• “Google assigns new maximum rated CVE to libwebp bug exploited in attacks” (BleepingComputer article)
• “Google quietly corrects previously submitted disclosure for critical webp 0-day” (Ars Technica article)
• “Frequently Asked Questions for ImageIO and WebP/libwebp Zero-Day Vulnerabilities” (Tenable article)

Please contact the Technology Help Desk at 412-624-HELP (4357) if you have any questions regarding this announcement.