The Case Western Reserve University community's security is University Technology's top priority. [U]Tech wants the campus community to be aware of a critical security vulnerability disclosed earlier this month. It impacts various applications on your computers and mobile devices. Your immediate action is required.
Immediate action required
Devices managed by CWRU will update automatically as scheduled, requiring no user action. However, if you're using a personally owned device or an unmanaged CWRU device, you must take immediate action:
- Check for updates: Ensure all applications on your device are up to date, including your operating system.
- Scope of vulnerability: This vulnerability goes beyond your operating system, affecting numerous applications. Notably, it impacts browsers such as Firefox, Safari, and Edge, as well as popular chat platforms like Signal, Slack, Discord, and Skype, plus image manipulation apps like LightTable, and various other applications reliant on the WebP image library. See a list of affected applications.
Why this matters
This security flaw could be exploited by a specially crafted malicious image. Attackers may use this image to trick users into opening it, potentially allowing them to remotely execute code and access sensitive user data.
Stay protected
Until your device is updated, it remains at risk. Several application vendors have already issued fixes for this critical vulnerability. The vendors that have pushed WebP zero-day patches are:
- Google Chrome (Mac and Linux: 116.0.5845.187, Windows: 116.0.5845.187/.188)
- Mozilla Firefox (117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2)
- Brave Browser (Version 1.57.64)
- Microsoft Edge (Versions 109.0.1518.140, 116.0.1938.81, and 117.0.2045.31)
- Tor Browser (Version 12.5.4)
- Opera (Version 102.0.4880.46) and Opera GX (Version Lvl 5, 102.0.4880.64)
- Vivaldi (Version 6.2.3105.47)
- Bitwarden
- LibreOffice
- Suse
- Ubuntu
- LosslessCut
- NixOS (Nix package manager)
Take preventive measures
[U]Tech recommends enabling Automatic Updates on all personally owned devices. Keeping your systems current with operating system and third-party app fixes should be treated as an essential, high-priority task.
Note to health sciences students regarding Examplify/Examsoft
ExamSoft has issued a caution regarding the newest major version releases of Microsoft Windows and Apple MacOS (Windows 11 23H2 — expected to release on Sept. 26 and macOS 14 Sonoma — expected to release on September 26):
"ExamSoft is currently assessing Examplify's compatibility with these new versions. Because Examplify is not yet compatible, users who update their operating systems to Windows 11 23H2 or macOS 14 may experience technical issues that prevent them from installing or successfully completing exams."
[U]Tech's Information Security team advises Examplify users that they should postpone updating their machines until ExamSoft announces official support for these major version releases. However, monthly patches and urgent security updates should be applied and should not affect Examplify's performance.
Need assistance?
For assistance with checking for and installing application updates, please contact the [U]Tech Service Desk at help@case.edu, call 216.368.HELP (4357), or visit help.case.edu.
Your safety and data security are of utmost importance. [U]Tech thanks the university community for their immediate attention to this matter, and reminds individuals to remain vigilant.
References: