Security advisory – October 10, 2023: WebP Vulnerability

Last updated on October 10, 2023

At Neat, we make an effort to continuously assess the security of our products and services. When issues or vulnerabilities are discovered, we quickly work to resolve any issues and communicate this to our customers and partners. Security researchers are reporting that a vulnerability that affects a wide range of software requires immediate attention.

What is WebP?

WebP is an image format developed by Google. It was designed to reduce website image sizes without compromising the quality of their appearance. As a result, WebP helps a website run faster and reduces the data storage requirements at the same time. WebP is supported in all major web browsers (Chrome, Firefox, Safari, Edge, etc.) and is used in many software applications.

Vulnerability Details

Libwebp is a code library that applications can use to process WebP images. Libwebp may be exploited to execute arbitrary code, which can compromise the device on which it is running. This vulnerability can sometimes be triggered without user interaction when the application receives a malicious image. Details on the vulnerability can be found on CVE Record | CVE-2023-4863.

Current Analysis

There are several application dependencies of libwebp that operate on Neat devices. The first is the use of Android Framework. Android Framework APIs leverage libwebp for rendering WebP images. Devices use WebP images in the Out-Of-the-Box (OOB) setup and when displaying device system settings. However, the interface for OOB and system settings doesn’t allow for users to open a WebP file directly in the web page. This results in the WebP vulnerability not affecting Neat devices in this specific scenario.

The second is related to the platform applications that operate on Neat devices – this includes Microsoft Teams and Zoom. Both Teams and Zoom applications leverage Chromium WebView to serve up images within each of their respective applications. Among the use cases involving WebView in these applications, we’ve identified one specific risk: Running Microsoft Teams in personal mode could allow users to upload a malformed WebP image via chat.

Impact analysis:

• No indication are affected: Neat Bar, Board, Bar Pro, Pad, Neat Pulse Control. Any devices running Zoom. Neat Frame running Zoom Rooms. 
• Affected: ONLY Neat Frames running Microsoft Teams in personal mode. 

We are working closely with Microsoft to coordinate a new version that contains a patched version of Chromium browser that will resolve this vulnerability.

Recommended Customer Action

Until Neat and Microsoft are able to release security patches to resolve this matter (anticipated late October / early November 2023), we recommend Neat account administrators notify their end users of this vulnerability and remind them to not click on links from unknown or untrusted sources on their Neat Frame devices. Administrators may also choose to limit sharing of images in chat to only between users in their same organization.

Additional Support

We encourage you to visit our support website (https://support.neat.no) for updates regarding this notification as well as any future potential security incidents. If you encounter an issue with your Neat device, please email: support@neat.no and one of our technical support engineers will reach out to you.

Note: Neat provides support on Neat devices running current released software, or running software from the previous release. For more information on our support policy, please see the article Neat’s technical support policy.
IMPORTANT: Please see our privacy policy at https://neat.no/privacy-policy/