www.malwarebytes.com Open in urlscan Pro
2600:9000:26da:4c00:16:26c7:ff80:93a1  Public Scan

Form analysis
2 forms found in the DOM

GET

<form id="search-form" onsubmit="submitSearchBlog(event)" method="get">
  <div class="searchbar-wrap-rightrail">
    <label for="cta-labs-rightrail-search-submit-en" aria-label="cta-labs-rightrail-search-submit-en" aria-labelledby="cta-labs-rightrail-search-submit-en">
      <input type="text" id="st-search-input-rightrail" class="st-search-input-rightrail" placeholder="Search Labs">
    </label>
    <button type="submit" id="cta-labs-rightrail-search-submit-en" aria-label="Submit your search query">
      <svg class="svg-icon svg-stroke-mwb-blue svg-search">
        <use href="/images/component-project/templates/blog/blog-svg.svg#svg-search"></use>
      </svg>
    </button>
  </div>
</form>

/newsletter/

<form class="newsletter-form form-inline" action="/newsletter/">
  <div class="email-input">
    <label for="cta-footer-newsletter-input-email-en" aria-label="cta-footer-newsletter-input-email-en" aria-labelledby="cta-footer-newsletter-input-email-en">
      <input type="text" class="email-input-field" id="cta-footer-newsletter-input-email-en" name="email" placeholder="Email Address">
    </label>
    <input name="source" type="hidden" value="">
    <input type="submit" class="submit-bttn" id="cta-footer-newsletter-subscribe-email-en" value="">
  </div>
</form>

Text Content

       
Personal
Personal
 * Products
 * Malwarebytes Premium >
 * Malwarebytes Privacy VPN >
 * Malwarebytes Premium + Privacy VPN >
 * Malwarebytes Browser Guard >
 * Malwarebytes for Teams/small offices >
 * AdwCleaner for Windows >
 *  

 * Have a current computer infection?
   
   CLEAN YOUR DEVICE NOW  

 *  

 * Solutions
 * Free antivirus >
 * Free virus scan & removal >
 * Windows antivirus >
 * Mac antivirus >
 * Android antivirus >
 * iOS security >
 * Chromebook antivirus >
 *  

 * SEE PERSONAL PRICING 

 *  

 * MANAGE YOUR SUBSCRIPTION 

 *  

 * VISIT OUR SUPPORT PAGE 


Business
Business
 * Solutions
 * By Company Size
 * Small Businesses
 *  1-99 Employees 
 * Mid-size Businesses
 *  100-999 Employees
 * Large Enterprise
 *  1000+ Employees
 * By Industry
 * Education
 * Finance
 * Healthcare
 * Government

 * Products
 * Cloud-based Security Management
 * Endpoint Protection
 * Endpoint Protection for Servers
 * Endpoint Detection & Response
 * Endpoint Detection & Response for Servers
 * Incident Response
 * Nebula Platform Architecture
 * Mobile Security
 * Cloud-based Security Modules
 * DNS Filtering
 * Vulnerability & Patch Management
 * Remediation Connector Solution
 * Application Block
 * Security Services
 * Managed Detection and Response 
 * Cloud Storage Scanning Service 
 * Malware Removal Service
 * Next-gen Antivirus for Small Business
 * For Teams

 * Get Started
 *  * Find the right solution for your business
    * See business pricing
   
   --------------------------------------------------------------------------------
   
    * Don't know where to start?
    * Help me choose a product
   
   --------------------------------------------------------------------------------
   
    * See what Malwarebytes can do for you
    * Get a free trial
   
   --------------------------------------------------------------------------------
   
    * Our sales team is ready to help. Call us now
    * +49 (800) 723-4800

Pricing
Partners
Partners
 * Explore Partnerships

 * Partner Solutions
 * Resellers
 * Managed Service Providers
 * Computer Repair
 * Technology Partners
 * Affiliate Partners
 * Contact Us

 * Partner Success Story
 * Marek Drummond
   Managing Director at Optimus Systems
   
   "Thanks to the Malwarebytes MSP program, we have this high-quality product in
   our stack. It’s a great addition, and I have confidence that customers’
   systems are protected."

 * See full story

Resources
Resources
 * Learn About Cybersecurity
 * Antivirus
 * Malware
 * Ransomware
 * Malwarebytes Labs – Blog
 * Glossary
 * Threat Center

 * Business Resources
 * Reviews
 * Analyst Reports
 * Case Studies
 * Press & News

 * Reports
 * 
   
   
   
   The State of Malware 2023 Report
   

 * See Report

Support
Support
 * Technical Support
 * Personal Support
 * Business Support
 * Premium Services
 * Forums
 * Vulnerability Disclosure
 * Report a False Positive

 *  Product Videos
 * 

 * Featured Content
 * 
   
   
   
   Activate Malwarebytes Privacy on Windows device.

 * See Content

Free download windows
Contact Us
Contact Us
 * Personal Support
 * Business Support
 * Talk to Sales
 * Contact Press
 * Partner Programs
 * Submit Vulnerability

Company
Company
 * About Malwarebytes
 * Careers
 * News & Press

Sign In
Sign In
 * MyAccount: manage your personal/Teams subscription >
 * Cloud Console: manage your cloud business products >
 * Partner Portal: management for Resellers and MSPs >

SUBSCRIBE


Android | Apple | Exploits and vulnerabilities


PEGASUS SPYWARE AND HOW IT EXPLOITED A WEBP VULNERABILITY

Posted: September 27, 2023 by Pieter Arntz

The company behind the infamous Pegasus spyware used a vulnerability in almost
every browser to plant their malware on victim's devices.

Recent events have demonstrated very clearly just how persistent and wide-spread
the Pegasus spyware is. For those that have missed the subtle clues, we have
tried to construct a clear picture. We attempted to follow the timeline of
events, but have made some adjustments to keep the flow of the story alive.

On September 12, 2023 we published two blogs urging our readers to urgently
patch two Apple issues which were added to the catalog of known exploited
vulnerabilities by the Cybersecurity & Infrastructure Security Agency (CISA),
and to apply an update for Chrome that included one critical security fix for an
actively exploited vulnerability.

The vulnerabilities were discovered as zero-days by CitizenLab, while checking
the device of an individual employed by a Washington DC-based civil society
organization with international offices. The exploit chain based on these
vulnerabilities was capable of compromising devices without any interaction from
the victim and were reportedly used by the NSO Group to deliver its infamous
Pegasus spyware.

Both of the vulnerabilities, CVE-2023-41064 and CVE-2023-4863 were based on a
heap buffer overflow in Libwebp, the code library used to encode and decode
images in the WebP format. This library can be used in other programs, such as
web browsers, to add WebP support.

Security expert Ben Hawkes figured out that the vulnerability was to be found in
the "lossless compression" support for WebP, sometimes known as VP8L. A lossless
image format can store and restore pixels with 100% accuracy, and WebP does this
using an algorithm called Huffman coding.

As we saw in the vulnerability descriptions, both vulnerabilities were buffer
overflow issues. A buffer overflow is a type of software vulnerability that
exists when an area of memory within a software application reaches its address
boundary and writes into an adjacent memory region.

The vulnerable versions of libwebp use memory allocations based on
pre-calculated buffer sizes from a fixed table, and then construct the necessary
Huffman tables directly into that allocation. By creating specially crafted
image files that tricked libwebp into creating tables that were too small to
contain all the values, the data would overflow into other memory locations.

Even a weathered security expert like Ben Hawkes, who figured out where the
problem was, had a hard time finding a way to exploit this issue. Let alone how
hard it must have been when there was no clue that a vulnerability even existed.
It helps that libwebp is an open source library, so anyone interested can review
the code. Ben explained that even extensive fuzzing had never revealed the
problem.

Someone, or a group of people, must have taken it upon themselves to really dive
into the code. Ben wrote:

> “In practice, I suspect this bug was discovered through manual code review. In
> reviewing the code, you  would see the huffman_tables allocation being made
> during header parsing of a VP8L file, so naturally you would look to see how
> it's used. You would then try to rationalize the lack of bounds checks on the
> huffman_tables allocation, and if you're persistent enough, you would
> progressively go deeper and deeper into the problem before realizing that the
> code was subtly broken. I suspect that most code auditors aren't that
> persistent though -- this Huffman code stuff is mind bending -- so I'm
> impressed.”

Then again, seeing the amount of money that one could cash in for a fully
functional exploit chain, there should be more than enough people willing to put
in the work and shove their conscience aside.



20 million dollar for top-tier full-chain mobile exploits

And although Google and Apple have issued updates to patch this vulnerability,
libwebp is used in many other applications. And it may take a while before the
Android update trickles down to every make and model. Regular readers may know
that when there is an update for the Android operating system—software that sits
at the core of about 70% of all mobile devices—it can take a very long time to
reach end users due to a patch gap. This is because many mobile phone vendors
sell their devices with their own tweaked versions of Android and the patches
need to be tested before they can be rolled out on those versions.

The NSO group that markets the Pegasus spyware have shown they are interested in
acquiring such exploits. As we wrote years ago, the Pegasus spyware has been
around for years and we should not ignore its existence.

Our own David Ruiz wrote:

> “Pegasus is reportedly instrumental to several governments’ oppressive
> surveillance campaigns against their own citizens and residents, and, while
> NSO Group has repeatedly denied allegations that it complicitly sells Pegasus
> to human right abusers, it is difficult to reconcile exactly how the
> zero-click spyware program—which non-consensually and invisibly steals emails,
> text messages, photos, videos, locations, passwords, and social media
> activity—is at the same time a tool that can, in its very use, respect the
> rights of those around the world to speak freely, associate safely, and live
> privately.”

Pegasus is not new. The company behind it launched in 2010, and it reportedly
gained its first overseas customer just one year later. For years, Citizen Lab
has been tracking the spread of Pegasus, searching for government clients and
tracking down mobile devices that were hacked by the spyware. Back in 2016, the
group’s investigations helped spur MacOS updates to fix severe vulnerabilities
that could have been exploited by Pegasus. In 2018, Citizen Lab also identified
45 countries that were potentially relying on Pegasus to conduct surveillance.

After learning about the findings from The Pegasus Project, former NSA defense
contractor and surveillance whistleblower Edward Snowden warned that spyware is
not a small problem. It is, he said, everywhere.

> “When I look at this, what the Pegasus Project has revealed is a sector where
> the only product are infection vectors, right? They don’t—they’re not security
> products. They’re not providing any kind of protection, any kind of
> prophylactic.”

Snowden said.

> “They don’t make vaccines. The only thing they sell is the virus.”

--------------------------------------------------------------------------------

We don’t just report on Android and iOS security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your
Android devices by downloading Malwarebytes for Android today. And keep threats
off your iOS devices by downloading Malwarebytes for iOS today.

SHARE THIS ARTICLE

--------------------------------------------------------------------------------

COMMENTS



--------------------------------------------------------------------------------

RELATED ARTICLES



--------------------------------------------------------------------------------

ABOUT THE AUTHOR

Pieter Arntz
Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four
languages. Smells of rich mahogany and leather-bound books.


PROTECT YOUR BUSINESS FROM RANSOMWARE

Prevent more. Detect earlier.

Free Trial


PROTECT YOUR DEVICE

Scan your device today and see why millions trust Malwarebytes to keep them
protected.

Free Download


Contributors


Threat Center


Podcast


Glossary


Scams

Cyberprotection for every one.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our
newsletter and learn how to protect your computer from threats.



Cyberprotection for every one.

For Personal

Windows Antivirus

Mac Antivirus

Android Antivirus

Free Antivirus

VPN App (All Devices)

Malwarebytes for iOS

See all

Company

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Rootkit Scanner

Trojan Scanner

Virus Scanner

Spyware Scanner


Password Generator

Anti Ransomware Protection

ADDRESS

3979 Freedom Circle
12th Floor
Santa Clara, CA 95054

ADDRESS

One Albert Quay
2nd Floor
Cork T12 X8N6
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus


What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor
Cork T12 X8N6
Ireland

   English
Legal
Privacy
Accessibility
Vulnerability Disclosure
Terms of Service


© 2023 All Rights Reserved

Select your language

 * English
 * Deutsch
 * Español
 * Français
 * Italiano
 * Português (Portugal)
 * Português (Brasil)
 * Nederlands
 * Polski
 * Pусский
 * 日本語
 * Svenska

New Buy Online Partner Icon Warning Icon
This site uses cookies in order to enhance site navigation, analyze site usage
and marketing efforts. Please see our privacy policy for more information.
Privacy Policy
Cookies Settings Decline All Accept All Cookies



PRIVACY PREFERENCE CENTER

When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
Privacy Policy
Allow All


MANAGE CONSENT PREFERENCES

STRICTLY NECESSARY

Always Active

These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms.    You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.

Cookies Details‎

PERFORMANCE AND FUNCTIONALITY

Performance and Functionality

These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages.    If you do not allow these cookies then
some or all of these services may not function properly.

Cookies Details‎

SOCIAL MEDIA

Social Media

These cookies are set by a range of social media services that we have added to
the site to enable you to share our content with your friends and networks. They
are capable of tracking your browser across other sites and building up a
profile of your interests. This may impact the content and messages you see on
other websites you visit.    If you do not allow these cookies you may not be
able to use or see these sharing tools.

Cookies Details‎

ANALYTICS

Analytics

These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site.    All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.

Cookies Details‎

ADVERTISING

Advertising

These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites.    They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.

Cookies Details‎
Back Button


COOKIE LIST



Search Icon
Filter Icon

Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

Decline All Confirm My Choices