[benhawkes]

Well, we don't know for sure that an exploit exists for this bug on Android yet (the original exploit was for iOS via iMessage), but there's a reasonably high chance that one has been developed already. These types of exploits are in very high demand for Android right now, I've heard some eye-watering prices being mentioned recently.

Updating Chrome on an unsupported device would fix the issue, but you would still need an Android OS upgrade to fix the issue for apps like Signal and WhatsApp. Chrome bundles its own version of libwebp, but messaging apps and other highly exposed stuff like Gmail all use the OS provided interfaces for displaying images. Hopefully we'll start getting updates for security-supported Android devices in early October.

[TheGuyWhoCodes]

This is honestly pretty bad. You either wait a month (or more) for the OS security update, if you are lucky enough that your device is supported.

Or the app could bundle the library, they can push updates faster but then again they could just use an old version and never update like most 3rd party dependencies these days.

[TheHappyOddish]

This is the primary reason why I push the the non technically inclined (grandparents, older friends, etc) in my life to use iPhones. The latest Pixel I believe is now offering 6 years security patched (which makes it an Android leader), but 7+ years is already the standard on the cheapest iPhone option.

The argument of a $1000 Androd phone vs a $1500 iPhone falls over if you have to replace that Android phone 2 more times in the same period.

[ocdtrekkie]

I have iOS devices from 2015 that still get security updates and already patched for this issue. It's really just straight up irresponsible at this point that Android can't actually do this.

[pja]

So there’s a webp system library as well as the one in Chrome?

Nice of Google to drop security support for the Pixel 4a just before this bug drops.

[vuln]

You’re saying that Google knew about the bug and purposely dropped security support for the pixel 4a right before? Support didn’t age out, like it typically does (age of device)? Google just pulled security support for this one device?

[pja]

No, I’m saying it’s extremely frustrating that Google just drops security support entirely for devices like this, when they could continue to at least patch egregious platform bugs like this one, even if they can’t fix everything.

It’s just icing on the proverbial cake that a month after they drop security support for the 4a a 0-click remote exploit is found.

[tamimio]

> Well, we don't know for sure that an exploit exists for this bug on Android yet

If the target is an Android, definitely an advanced exploit like this isn’t needed, so even if it will work, an easier ones most likely to be used.

[kristopolous]

Can you give me a real number on that? Are we talking over a million? Over 5?

[0x53]

The only publicly posted price list that I know of is zerodium’s (evil people). http://zerodium.com/program.html They currently offer 2.5 million for an android zero click with persistence. This doesn’t give you the persistence piece without another bug so maybe 2m. Of course, they are only willing to offer that price if they could sell it for much more.