Skip Navigation

Critical vulnerability in WebP Codec has browser vendors scrambling for updates

stackdiary.com Critical vulnerability in WebP Codec has browser vendors scrambling for updates

A significant vulnerability in the WebP Codec has been unearthed, prompting major browser vendors, including Google and Mozilla (update: Mozilla has now

Critical vulnerability in WebP Codec has browser vendors scrambling for updates

This affects all browsers and not just Chrome, as the media falsely reported it. Mozilla just rolled out a fix, and Brave is looking into it. This bug is likely related to the "zero-click" iOS 0day that was reported by Citizenlab last week.

34

You're viewing a single thread.

34 comments
  • Sigh, just when I really switched over to making memes in webp

    • The only reason I know what webp is, is because its "that dumb format" that doesn't play like a GIF in Signal.

    • Don't be evil

    • Fucking hate that shit, I have to screenshot it when sending to the group chat cause it won't upload webp.

    • now whilst i know why people like webp, maybe we could stop using formats owned by google..

      until jpegxl becomes viable (which it mainly isn't because it compete[s/d] with webp), lets stick to nice formats not owned by tech giants, like apng?

      • Problem is, it takes a huge brand like Google or Apple to push a new format for something basic like images. Do you know how many alternative image formats exist that have tried to be the next jpg/gif/png? Hundreds.

        I just really wish people would stop clinging to these old formats, especially gif. Maybe when the tech giants get some traction with webp, more open alternatives can get popular as well, once people realize that jpg and gif aren't the end of everything, and app developers get off their fat asses and start supporting other formats too. It just needs to start somewhere.

        Just like ogg probably wouldn't be a thing if commercial mp3 didn't pave the way, or we probably wouldn't have divx/h264... without Real Media and Quick Time. Signal wouldn't be so popular either without the likes of Skype and Viber.

        Of course I'd prefer open, free standards from the start, but you can see how fucking lazy people are (both users and developers) to support new formats.

        That said, it's not like webp is closed or anything, so I'm ok with it.

        • jpegxl actually has pretty good support - affinity, photoshop, gimp, krita, etc. all support it fine

          it's only chrome/electron that's holding it back (even firefox supported it until chrome dropped support). i don't think it's lazyness

          i have no love for gif (hence i use apng), but all the other alternatives are either videos so show controls by default, not widely supported, or webp. i realise webp is objectively the better format for most things, but i still argue it's existence is a net negative effect

          webp may be open (although actually i'd argue it isn't, the licences for the decoder and the format itself are both very woolly), but as it's actively contributing to enshittification by holding back truly open formats i'd say that doesn't really matter

          • jpegxl actually has pretty good support - affinity, photoshop, gimp, krita, etc. all support it fine

            Sorry, 5 graphics programs isn't "support". You need support from the millon mobile apps, web sites and image and web libraries. A format that you can only use by yourself or with a handful professionals is useless in practice.

            Ed: look at the list of formats supported by XnView

            holding back truly open formats i'd say that doesn't really matter

            There's been hundreds of new image formats in the last ~20 years, and none has gotten anywhere.

            Even PNG needed a decade for some things to support it properly, and that one really had a brand new massive use case.

            People use gif to make videos for crying out loud, and bitch about webp all the time, that's how massive the pushback against new formats is.

            Do you really think jpegxl would get anywhere by itself? No, it would be the same as with jpeg2000 and tons of other formats - first supported by a handful of programs, but not used by anyone else and then forgotten.

            • Sorry, 5 graphics programs isn’t “support”. You need support from the millon mobile apps, web sites and image and web libraries. A format that you can only use by yourself or with a handful professionals is useless in practice.

              i gave those because they're the most pertinent programmes for people dealing with creating & editing images. there are mobile (or at least android) libraries; and web is the issue i'm talking about - it's hampered by chromium. there are more here if you're interested.

              and i'd say that's not bad for a format that's only a few years old

              Ed: look at the list of formats supported by XnView

              i don't know what this is supposed to mean. xnview supports jxl

              There’s been hundreds of new image formats in the last ~20 years, and none has gotten anywhere.

              because png is good. i'm not defending gif or jpeg, they suck. but png is simple, fast to decode, and open by design. there have been better formats, but not paradigm shiftingly better. it may not be the best as an image format, but it is good

              Even PNG needed a decade for some things to support it properly, and that one really had a brand new massive use case.

              yeah that's my point, jxl has been adopted faster than png or webp (it was only officially standardised in 2022!)

              People use gif to make videos for crying out loud, and bitch about webp all the time, that’s how massive the pushback against new formats is.

              i really don't think many people use gif. most people use gifv or similar (usually webm) without realising it. apart from its very specific use case, gif sucks; so most software automatically converts to something else

              Do you really think jpegxl would get anywhere by itself? No, it would be the same as with jpeg2000 and tons of other formats - first supported by a handful of programs, but not used by anyone else and then forgotten.

              jpeg2k had major issues other than a lack of support - jxl has deliberately avoided those pitfalls

              • i gave those because they're the most pertinent programmes for people dealing with creating & editing

                That's not how people use images. For an image format to be viable, you need your camera to support it, your gallery app/program to support it, the web sites you upload it to, the messaging platforms you share it through.

                If there's a break in the chain, people will screenshot the picture as png and bitch to you that you're using something weird.

                I've been trying to get people to use or support image formats for 15 years, previously as a tech journalist too, and the resistance is totally absurd. "Why change what works", "just because it's new doesn't mean I have to use it" are the typical responses you get from everyone.

                i really don't think many people use gif.

                Oh you'd be surprised... Gaming videos on Steam, screen recordings, porn clips by amateurs, or just random clips, the amount of low-res gifs with 10s of MB in size is crazy.

                jpeg2k had major issues other than a lack of support - jxl has deliberately avoided those pitfalls

                Sure, it's shitty of Google to drop the support, but from experience I'm still unfortunately 100% sure it wouldn't have gotten anywhere.

                Heck, Apple has been using HEIF for years and that's a trillion dollar company with a huge market share, and you still get shitton of places where you can't use it.

                • That’s not how people use images. For an image format to be viable, you need your camera to support it, your gallery app/program to support it, the web sites you upload it to, the messaging platforms you share it through.

                  yes. i agree. but that's my exact point. if i make an image then upload it to the internet - the only software that's involved is on my side (gimp, ps, whatever[^1]) and the browser of the person viewing it. if it was supported in chromium, that's automatically available in chrome, edge, vivaldi, brave, discord, element, spotify, whatever other chromium-embedded or electron apps you care to name. given the (unfortunate) prominence of electron-based programmes nowadays; that's good enough for anyone who isn't a professional, and they're already fine. fuck it, it has the joint photographic experts group behind it - they're quite a big name in photography

                  Oh you’d be surprised… Gaming videos on Steam, screen recordings, porn clips by amateurs, or just random clips, the amount of low-res gifs with 10s of MB in size is crazy.

                  meh, i haven't seen any in the past ~5 years apart from ones specifically chosen for that 256 colour æsthetic; but i will believe you

                  Sure, it’s shitty of Google to drop the support, but from experience I’m still unfortunately 100% sure it wouldn’t have gotten anywhere.

                  Heck, Apple has been using HEIF for years and that’s a trillion dollar company with a huge market share, and you still get shitton of places where you can’t use it.

                  it did get places. it has got places. again, it's very new and is already well supported

                  jpeg2k failed because of licencing and royalty issues[^2]. heif hasn't spread because of licencing and royalty issues. in my personal opinion, webp has licencing issues. png didn't. jpeg (sort of) didn't. jxl doesn't.

                  but anyways, this isn't a pro-jxl comment; it's an anti-webp comment. i used jxl as an example of why webp, and its adoption, is making the web worse even though it's better than png from a technical standpoint

                  [^1]: or camera, you're right; but i'm pretty sure that A) there are some cameras that support it already, and B) again, the jpe group have a considerable amount of sway so i'm sure they could persuade most camera manufacturers to support it

                  [^2]: i mean, as well as the fact it didn't really bring anything new to the table. but that's a whole other point

                  • if i make an image then upload it to the internet - the only software that's involved is on my side (gimp, ps, whatever[^1]) and the browser of the person viewing it.

                    It's not. The web site you're uploading to has to support it to allow you the upload in the first place, and to process it to make previews or lower-res versions for the web pages or apps.

                    Well unless you're uploading directly through ftp and share only the link, but again that's not how people use pictures.

                    Then if the person on the other side wants to download the picture, set it as wallpaper, send it through messenger, then those programs need to support it too.

                    Heck now that I think about it, browser support isn't even that critical because web sites can make media available in whatever format the browser supports. The important part is the backend, and local apps.

                    meh, i haven't seen any in the past ~5 years apart from ones specifically chosen for that 256 colour æsthetic; but i will believe you

                    Do believe me, recently I've started converting those I want to keep to mp4 and I'm saving gigabytes.

                    Recently I've had some debates here with people looking for better support for gifs, or how to encode them better or whatever, and I nudge them towards webp at least. Because simply, if the web site supports only jpg, png, gif and webp uploads, then I definitely prefer webp.

                    it did get places. it has got places. again, it's very new and is already well supported

                    It's not all that well supported in lots of those cases I mention. And where it did get, it only got because Apple has actually billions of devices out there and has the power to make the format default among them with one worldwide update. Yet it still has to convert to jpg when sharing elsewhere by default. That's how huge the resistance is.

                    It's not all that new either, heif was introduced in 2017, webp even earlier and people still bitch that they can't use it because their oddball app doesn't support it.

                    Meanwhile x265 has been a common thing for years, and every few years before there's been a new generation of video codec, and nobody ever bats an eye when there's a new update.

                    jpeg2k failed because of licencing and royalty issues. heif hasn't spread because of licencing and royalty issues

                    I'm not advocating for these formats specifically (definitely not jpeg2000 haha), but I'm saying licences and royalties aren't that super important when it comes to how supported something becomes.

                    Hell look at Apple... Everything is proprietary.

                    Or when it comes to formats, mp3 is still the most widely supported audio format (non-free), and DivX has been the most widely supported video format for much longer than anything else... Also non-free.

                    jpe group have a considerable amount of sway so i'm sure they could persuade most camera manufacturers to support it

                    Haha hardware camera makers are the slowest dinosaurs when it comes to technology. Took them fucking ages for some to support DNG raw format, and before h264 was already getting grey, most would record videos only in mjpeg.

                    But it's more about phone cameras anyway. And well with those we'll only have webp and heif at most, so I guess we have to deal with that anyway.

                    Maybe if Mozilla had not abandoned their FF OS, maybe that would've been a camera supporting jpegxl now.

                    • It’s not. The web site you’re uploading to has to support it to allow you the upload in the first place, and to process it to make previews or lower-res versions for the web pages or apps.

                      alright yeah i guess. to be honest i was more talking about using images i've made on my own site, or publishers using an image format on their own websites. as for uploading to other sites it's a complete mess: even tumblr doesn't allow uploading webp, but it then automatically converts to webp which makes a horrible blurry mess

                      Do believe me, recently I’ve started converting those I want to keep to mp4 and I’m saving gigabytes.

                      i wasn't being sarcastic! i do believe you. and yeah, i'd do the same

                      It’s not all that well supported in lots of those cases I mention. And where it did get, it only got because Apple has actually billions of devices out there and has the power to make the format default among them with one worldwide update. Yet it still has to convert to jpg when sharing elsewhere by default. That’s how huge the resistance is.

                      sorry, i was talking about jxl here. i agree heif hasn't got anywhere; but that is, again, mostly due to licencing issues (unsurprisingly, given it's apple)

                      I’m not advocating for these formats specifically (definitely not jpeg2000 haha), but I’m saying licences and royalties aren’t that super important when it comes to how supported something becomes.

                      Hell look at Apple… Everything is proprietary.

                      yeah exactly - none of apple's formats are supported outside of apple devices (and i guess itunes for windows)

                      Or when it comes to formats, mp3 is still the most widely supported audio format (non-free), and DivX has been the most widely supported video format for much longer than anything else… Also non-free.

                      that's a fair point, and i can't really explain that - i can only assume it's big for the same reason as gif: it was good enough at the time, and got standardised by cds

                      Haha hardware camera makers are the slowest dinosaurs when it comes to technology. Took them fucking ages for some to support DNG raw format, and before h264 was already getting grey, most would record videos only in mjpeg.

                      really? now admittedly i don't know much about cameras, but i've had a couple of filmmaker friends and i was under the impression raw was universally supported

                      But it’s more about phone cameras anyway. And well with those we’ll only have webp and heif at most, so I guess we have to deal with that anyway.

                      i'm not sure about that - even google camera doesn't support webp (i mean, it's called "web picture", i think they see it as a web format primarily). i think phone cameras will continue to be solely jpg for a long time

                      Maybe if Mozilla had not abandoned their FF OS, maybe that would’ve been a camera supporting jpegxl now.

                      that'd be nice. i do wish mozilla wasn't so catastrophically mismanaged all around

                      • Aye so bottom line, we're stuck with what exists until new formats are forced upon everybody... ¯\_(ツ)_/¯

                        Ed:

                        was under the impression raw was universally supported

                        Raw isn't a format, it's supposed to just be unaltered stream from the imager, so every camera model is unique in that regard. But DNG is a way to describe that data so it's more readable to programs unfamiliar with the specific model. And well, some makers prefer to use their own proprietary models.

                        Although it's gotten better now that nobody buys standalone cameras so the makers can save money by not developing their own software.

                        Ed2:

                        none of apple's formats are supported outside of apple devices (and i guess itunes for windows)

                        Actually AAC is mostly Apple's format and support for it is pretty great. I'm not super familiar with the details but it sounds like a similar situation as with webp.

You've viewed 34 comments.