A new security vulnerability (CVE-2023-4863) has been identified impacting major web browsers. Iress Pro is vulnerable to CVE-2023-4863 but we have not identified any exploitation of our software. We have included a security patch in the latest version of Iress Pro which has just been released. Download here.
About the vulnerability
Citizen Lab has recently disclosed CVE-2023-4863, the most recent zero-day vulnerability. The vulnerability was discovered in WebP, an image file format developed by Google and supported by other web browser makers. The security vulnerability impacts Google Chrome versions prior to 116.0.5845.187 and allows a remote attacker to perform an out-of-bounds memory write through a malicious WebP image. Researchers uncovered the vulnerability was utilized to deploy the Pegasus spyware developed by NSO Group.
Although Iress have not identified any exploitation of our software at this stage, we have taken immediate preventative measures to ensure our software has been patched to remove our exposure to CVE-2023-4863. We now also strongly recommend that clients take the latest release as a priority.
Is Iress Pro vulnerable to CVE-2023-4863?
Yes, Iress Pro is vulnerable to CVE-2023-4863, Iress Pro contains an embedded browser that utilizes a Chrome library which is affected by the CVE-2023-4863 vulnerability.To mitigate the CVE-2023-4863 risk, we have taken immediate preventative measures to ensure our software has been patched to remove our exposure to CVE-2023-4863. We now also strongly recommend that clients take the latest release (21.1.60) as a priority.
Has Iress Pro been patched and secured?
Yes, we have patched embedded browsers using the affected Chrome library in Iress Pro release 21.1.60, and strongly recommend all clients upgrade to this release as of 15 Sep 2023.
What is the ask from the clients?
Clients are strongly recommended to upgrade their Iress Pro with the latest version which was released today.
What is the risk if we do not update to this new version?
Iress Pro currently uses Chromium and MS Edge as part of loading web capabilities within the product.
The components that use Chromium have been patched in the latest Pro version. Unpatched versions are at low risk of being able to execute the exploit as they are controlled in a way that users cannot execute code within these components.
Iress Pro has an internal browser which uses MS Edge from versions 21.1.20 onwards and the version of MS Edge is based on the MS Edge version on the client system. Patches to MS Edge are deployed through the standard MS Automatic Updates.
For versions prior to 21.1.20, Iress Pro used a version of MS Internet Explorer which was embedded in the Pro version and this has the ability to execute malicious code on behalf of the user, however Internet Explorer is less likely to be affected by this vulnerability as it is not a Chromium based-browser.
Users who are able to access websites without restriction are those that would be at the highest risk of executing malicious code through Pro. This would apply to those users running older versions of Pro without any restrictions to the websites they can access.
We recommend having your information security assess the risk for your organisation.