Research has now revealed that the cause of the recent Apple and Google zero-day patches was the same software library used by both software giants. Libwebp, a library found in millions of apps, was the source of the vulnerability.
Incomplete disclosures by Apple and Google create “huge blindspot” for 0-day hunters | Ars Technica
However because neither Apple or Google made a complete disclosure as to the cause of their cyber security issues, other developers who are using libwebp did not patch their apps, leaving their users vulnerable to attack.
Your takeaway from this
Sharing information about cyber security issues and vulnerability leads to a “herd immunity” that defeats the threat actors, but everyone must play from the biggest Tech Giants to the smallest organisation, including you. So have a media response ready for if you have a cyber incident.
You do not have a media response in your incident response plan! Then it is time to contact us.
The second takeaway is that the web or software developers you are using are also probably using shared software libraries – it is the way the software industry works – but have you asked them what their system is for checking and patching those are?
When I run an IT and Cyber Security audit, I always ask these questions of any third-party suppliers.
Clive Catton MSc (Cyber Security) – by-line and other articles
