What’s the problem?

The Eastern Cyber Resilience Centre has recently been made aware of a significant vulnerability with many web browsers and applications that has been identified and classified as severe. This requires immediate action. This vulnerability can allow threat actors to overwrite data, run malicious code or even gain unauthorised system access.

What do I do now?

The first step would be to make sure that your web browser is up to date as most companies have already released patches specifically designed to mitigate for this issue. Links to instructions for updating are below:

Microsoft Edge: Microsoft Edge update settings - Microsoft Support

Google Chrome: Update Google Chrome - Computer - Google Chrome Help

Mozilla Firefox: Update Firefox to the latest release | Firefox Help (mozilla.org)

Mac OS: Update macOS on Mac – Apple Support (UK)

Is there anything else I need to know?

It is also worth noting that this bug is also affecting many cross-platform apps built on Electron and Flutter. These include apps such as the Affinity suite, Signal, 1Password (now patched) Thunderbird (now patched), GiMP, Inkscape, LibreOffice, ffmpeg, and many Android apps. As always, the advice is to make sure all your applications and operating systems are fully up to date to mitigate against these types of vulnerabilities.

For more information on this vulnerability and a beginner friendly explanation of what it can do you can consult the following blog post: Critical WebP bug: many apps, not just browsers, under threat (stackdiary.com).

How do I get these critical notifications in the future?

The ECRC is a police- led organisation that can help you with identifying your cyber vulnerabilities and how to fix them. At this stage we would advise you to do three things now.

1. Join our free community membership and you will be supported through implementing the changes you need to make to protect your business and your customers.
2. For all organisations in the Eastern region we would recommend that you look at improving you overall cyber resilience through the free Little Steps pathway we provide to Cyber Essentials – the basic government backed kite mark standard for cyber security. As a free member we will take you as far as the CE accreditation process. And remember that a company operating under Cyber Essentials processes is 99% protected either fully or partially from today’s common cyber-attacks. And if you want to pay for the assessment, we can refer you to one of our Cyber Essentials Partners – all regionally based cyber security companies that can help you become accredited.
3. We would also recommend that you speak to your Managed Service Provider and / or website company to discuss how they can implement cyber resilience measures on your behalf.

Reporting Cyber Crime

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online.

Forward suspicious emails to report@phishing.gov.uk.

Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).