Neat Statement on the WebP Vulnerability

Last updated on November 27, 2023

At Neat, we make an effort to continuously assess the security of our products and services. When issues or vulnerabilities are discovered, we quickly work to resolve any issues and communicate this to our customers and partners. Security researchers are reporting that a vulnerability that affects a wide range of software requires immediate attention. 

What is WebP? 

WebP is an image format developed by Google. It was designed to reduce website image sizes without compromising the quality of their appearance. As a result, WebP helps a website run faster and reduces the data storage requirements at the same time. WebP is supported in all major web browsers (Chrome, Firefox, Safari, Edge, etc.) and is used in many software applications. 

Vulnerability Details 

Libwebp is a code library that applications can use to process WebP images. Libwebp may be exploited to execute arbitrary code, which can compromise the device on which it is running. This vulnerability can sometimes be triggered without user interaction when the application receives a malicious image. Details on the vulnerability can be found on CVE Record | CVE-2023-4863

Current Analysis 

There are several application dependencies of libwebp that operate on Neat devices. The first is the use of Android Framework. Android Framework APIs leverage libwebp for rendering WebP images. Devices use WebP images in the Out-Of-the-Box (OOB) setup and when displaying device system settings. However, the interface for OOB and system settings doesn’t allow for users to open a WebP file directly in the web page. This results in the WebP vulnerability not affecting Neat devices in this specific scenario. 

The second is related to the platform applications that operate on Neat devices – this includes Microsoft Teams and Zoom. Both Teams and Zoom applications leverage chromium WebView to serve up images within each of their respective applications. Among the use cases involving WebView in these applications, we’ve identified one specific risk: Running Microsoft Teams in personal mode could allow users to upload a malformed WebP image via chat. 

Impact analysis 

  • No indication are affected: Neat Bar, Board, Bar Pro, Pad, Neat Pulse Control. Any devices running Zoom. Neat Frame running Zoom Rooms. 
  • Affected: ONLY Neat Frames running Microsoft Teams in personal mode. 

Recommended Customer Action 

Neat recommends upgrading your Neat device to the following firmware versions or later. 

  • Neat Pad firmware: NFA1.20230928.0116 
  • Neat Bar firmware: NFB1.20230928.0015 
  • Neat Board firmware: NFC1.20230928.0015 
  • Neat Bar Pro firmware: NFD1.20230928.0015 
  • Neat Frame firmware: NFF1.20230928.0015 
  • Neat Board 50 firmware: NFH1.20230928.0015 

For more information on the firmware release above, refer to our Neat Support site at https://support.neat.no/article/neat-devices-version-20230928-release-notes/ 

Additional Support 

We encourage you to visit our support website (https://support.neat.no) for updates regarding this notification as well as any future potential security incidents. If you encounter an issue with your Neat device, please email: support@neat.no and one of our technical support engineers will reach out to you. 

Note: Neat provides support on Neat devices running current released software, or running software from the previous release. For more information on our support policy, please see the article Neat’s technical support policy. 

IMPORTANT: Please see our privacy policy at https://neat.no/privacy-policy/