Last month, Google learned hackers were exploiting a critical, previously unknown vulnerability, WebP in their Chrome browser.
The vulnerability permits random and potentially malicious code to execute such as ransomware, a botnet, or a nation state cyber attack.
Google ranked the WebP’s vulnerability severity a perfect 10 out of 10.
Later that week, Google discovered the vulnerability went beyond Chrome, to all browsers (Firefox, Edge and Safari) and thousands of other applications.
It's unknown the extent of the threat since the security hole lies in the WebP library, ironically made by Google and Google cannot enumerate nor quantify the applications that have deployed their insecure and free WebP library.
This year, ransomware’s strategy has shifted towards vulnerabilities such as the GoAnywhere ransomware attacks in February and the MoveIt ransomware exfiltrations in June.
Historically, each ransomware infection represented one victim.
Software vulnerabilities enable attackers to hit multiple victims with one attack.
WebP is the mother lode of software vulnerabilities since every tablet, phone, computer has a browser.
The pervasiveness of the WebP vulnerability combined with its criticality is frightening with the potential for a catastrophic ransomware attack that shuts down our nation and demands a ransom to restore operations (think Colonial Pipeline on steroids), or worse, a nation state attack from Russia or perhaps North Korea.
In cyber parlance, this is called a Zero Day Threat.
Why?
Because at the time of discovery, there is no time to avoid or remediate the vulnerability.
There are four phases to recovering from a Zero Day vulnerability.
1.) Discovery — Software publishers learn hackers are exploiting their product.
2.) Creating an Update — Publishers build an update that removes the vulnerability.
3.) Notification — The media and government agencies notify the world including the hackers about the vulnerability. Sometimes the media and government agencies jump the gun and notify before an update exists much to the hacker’s delight.
4.) Update — Users or admins update vulnerable software. Normally a zero day impacts one application as in the case of GoAnywhere or MoveIt. In this case, there are thousands of applications that must wind its ways through the four phases of recovery.
Microsoft, Mozilla, Google, and Apple have written and released the updates to their browsers. Unfortunately, government inefficiency has hampered the notification process, and awareness of the WebP cyber risk is low.
Every browser in the nation must be updated and time is of the essence.
It takes a few minutes to simply close and reopen your browser.
The challenge is everyone must do this and now.
There remain potentially thousands of vulnerable applications all at different phases in remediation. Some are free. Some are potentially defunct.
Google released the WebP image format in 2018 and boasts 98% market share of browsers and integration into applications such as Microsoft Teams, Slack, LibreOffice, 1Password, and many Linux distributions/frameworks and numerous Javascript frameworks such as Electron.
WebP is embedded into the fabric of computing and represents a security hole to you, your place of work, and the nation.
A solution to avoid cyber disasters such as these exists.
The Department of Homeland Security (DHS) working with the National Institute of Standards and Technology published perhaps the most consequential cybersecurity document of our times, innocently named "CDM Software Asset Management (SWAM) Capability."
The SWAM manifesto explains software on a network must be authorized before it executes. NIST found this concept foundational for effective cybersecurity whether it is for the federal government, a city or a business.
This seminal work contains three concepts applicable to the WebP emergency.
Allowlisting — The core of SWAM is allowlisting which strictly permits authorized applications on the network. Unknowns are blocked.
In large scale vulnerabilities such as WebP, the payloads enter the network but are neutralized since they are unknown and unauthorized.
Velocity — A vulnerable application is an authorized application that can no longer be trusted. Speed of response is critical when a ransomware is invading a network or our country.
Automation: — The most important insight is automation is required to achieve adequate speed of response. It is not Zero Trust, nor AI, nor Detect and Respond.
The future of cybersecurity lies in automating the authorization of software on the network.
In conclusion, you are reading this in a browser that is insecure.
Close that browser and reopen it.
This reduces the exposure to malware, but today there is no automated solution for the thousands of vulnerable applications that you and your workplace are likely using.
Update frequently, and consider becoming a cybersecurity leader and embrace software asset management as prescribed by the Department of Homeland Security.
In the future, wars will be fought in cybersecurity through unknown zero day vulnerabilities like WebP. Victory will be defined by how quickly, efficiently and accurately each country deals with unknown payloads and vulnerabilities.
Rob Cheng is the CEO and founder of PC Matic, a cybersecurity company, best known as the only antivirus made in America. PC Matic is the sponsor of Newsmax’s cybersecurity weekly show. Cheng believes that the nation’s cybersecurity can be solved and an advocate for cyber prevention and citizen privacy.