Ames :verified: :donor: (@[email protected])

A simple, important, and urgent tip for everyone who doesn't follow #infosec news closely: **Never install an app if you can use a web browser instead**. If you have installed desktop or phone apps with web page alternatives (#Teams, #Slack, #Signal, #Discord, #Zoom, #WhatsApp, #Reddit, and many others), uninstall them! Use Chrome, Safari, Edge, or Firefox to access the application instead. Why now? There's a serious (8.8 out of 10) vulnerability in the `webp` library, which is used by Chrome and by Electron applications, including most of the above apps. While most vendors have not made an official statement about this flaw yet, it seems likely that many have this flaw, and, if so, it may give attackers the ability to take over your device by sending a malicious image. FYI, Electron is a deployment platform that lets developers take their web front-end, and quickly wrap it in a pseudo-browser to deploy it as a stand-alone desktop or phone app. While there is no patch yet for most of these apps, and we don't know for sure which apps have problems, there is a simple thing that you can do to protect yourself from *all* Electron-related issues now and in the future: Just use the in-browser web-page version of the application instead of the desktop or app version. Browsers have *much* stronger security than Electron and other app deployment platforms. For example, Chrome *has* been patched for the above `webp` problem. Stay safe: Don't install an app if you can avoid it. More reading: https://www.reddit.com/r/MicrosoftTeams/comments/16ugaum/ms_teams_electron_libwebp_0day_vulnerability/ https://arstechnica.com/security/2023/09/google-quietly-corrects-previously-submitted-disclosure-for-critical-webp-0-day/ https://stackdiary.com/critical-vulnerability-in-webp-codec-cve-2023-4863/ Please boost to anyone that should hear this.