2 October 2023
The LSE Cyber Security team is reminding all staff and students to keep your devices and software up to date, following recent reports of widespread and severe exploits.
Zero day vulnerabilities affecting a wide range of devices and software have been exploited in the wild. Originally reported as a bug in Google Chrome, the vulnerability was re-issued to acknowledge its further danger far more widely. There are some great explanations out there like this article by Ben Hawkes, which we recommend reading for a more technical explanation.
To protect your data and devices from attackers, it is strongly recommended to install security updates as soon as they become available. Exploited vulnerabilities can result in important data such as passwords, bank details, contact lists, or other sensitive information being stolen from your device. On top of exfiltrating valuable data, an attacker could gain full control over your device and execute code remotely by exploiting a zero-day vulnerability. They contain important patches to address active exploits affecting your device’s software, including web browsers like Google Chrome, and operating system.
One particularly noteworthy example is that one of the libraries being exploited (libwebp) is built into the Android operating system. Due to manufacturers implementing their own versions of Android, security patches in general can be problematic, as users rely on the patching schedule of their chosen phone manufacturer. This issue is exacerbated with high-severity threats like we can see with the libwebp exploit. This vulnerability is also present in many phone apps and desktop programs, which will also need to be updated separately from Android or any other affected operating system.
While concrete details aren’t available, and may not affect you, this is a critical reminder of the importance of keeping your software patched:
-
Please ensure that you’re accepting security updates on your software, both at LSE and on personally owned devices.
-
Patches have already been released for many common pieces of software. Major web browsers like Chrome, Firefox, or Edge have all pushed out updates in the last week – hopefully, these have already been installed when you opened your browser
-
Please note updates may continue to pop up throughout the next few days and weeks.
The LSE Cyber Security team can’t provide an exhaustive list of vulnerable apps/programs, so it’s best to make sure that all of your software is up to date.
If you need help installing security updates, please contact the Service Desk at tech.support@lse.ac.uk or visit the IT Walk-In Centre on the first floor of LRB.