So, last week an alert circulated in the Mac IT support communities; another security issue was "in the wild." That in itself is nothing unusual right? Security updates get issued routinely, and at a glance most of us have never heard of the stuff listed in this one. So who could blame you if you didn't notice?
You may have gotten through life as an active and even savvy computer user and never even heard of the LibWebp library -- I hadn't heard about it either until the alerts went out last week that said library was brutally hacked -- but that's sort of the point: Software you likely use everyday has "LibWebp" built into it, and as a result it may be compromised. All the software vendors who are paying attention have already as of this writing issued urgent security updates for their products (including1Password!), but that doesn't mean end users have INSTALLED them. This includes a lot of popular software which I'll list below, but first let's talk about password managers.
I've been lukewarm on password managers for years -- specifically, password managers that seek to "sync" your passwords between devices over the Internet. The reason is, they have a HUGE target on them; gaining access to the back end of a password manager sync system is the stuff of hacker dreams. That being said, password managers -- and this includes commercial products like 1Password, LastPass, Dashlane, RoboForms, and even iCloud and Chrome password syncing systems -- do solve some real problems for end users, so I have supported them in my customer base when asked.
The implications of using 1Password when it has been compromised with a malicious LibWebp library are significant: a bad guy could install keystroke loggers, backdoors, etc. and thereby gain access to your accounts: everything you've stored a password for.
It's not just 1Password that has been updated for this bug: here is a list of other popular programs, and it isn't a complete list. Additional info on this matter can be found here and here. It is worth explicitly mentioning that it doesn't matter which program they get in on; if they manage to get in to your computer, there are few limits on what they have access to. So patch 'em all.
- Google Chrome web browser, and all its' derivatives such as Microsoft Edge, Chromium, Epic, and more
- FireFox, which is not Chrome-based, but also uses the same LibWebp
- Telegram messaging app
- Slack messaging app
- Ubuntu, a popular content management system
- LibreOffice, a popular alternative to Microsoft Office
Again I want to stress that this is a partial list, and some developers may not even realize that their code is included because the LibWebp code is under-the-hood on so many things.
The bottom line? When software you rely on offers an update for "security reasons," it could -- as in this case -- be very very important that you do those updates. Now close this blog and go install your updates, kay?