Two zero-day flaws in popular Microsoft products including Edge, Teams and Skype have been discovered and fixed, the company has confirmed.
Microsoft has addressed CVE-2023-4863 and CVE-2023-5217, which affect the code libraries of the programs used to encode and decode images in the WebP format, and videos with VP8 encoding. The two libraries in question are used by a host of popular software and services, including Safari, Firefox, Opera, various Android web browsers, 1Password and Signal, as well as Netflix, YouTube and Amazon Prime Video, according to the publication. .
Should a threat actor exploit these flaws, they could execute arbitrary code on vulnerable endpoints.
Automatic updates
“Microsoft is aware of and has released patches related to the two Open-Source Software vulnerabilities, CVE-2023-4863 and CVE-2023-5217,” a business consultancy said.
The Microsoft Store will update all affected Webp Image Extension users without user intervention, the company further explained, emphasizing that users should first ensure that automatic updates are enabled. Otherwise, they must activate the patch manually.
The flaws were apparently first spotted a few days ago by cybersecurity researchers from Apple’s Security Engineering and Architecture (SEAR), Google’s Threat Analysis Group (TAG), and Citizen Lab, with the teams saying they were being exploited in the wild. No further explanation was given at the time, but it’s worth noting that TAG and Citizen Lab typically hunt for state-sponsored threat actors and the zero-days they use in attacks.
Because these are zero-days (unpatched bugs) in active exploitation, Google has refrained from sharing details, not to motivate other threat actors to jump on the bandwagon, which is standard practice among researchers: “Access bug details and links may be restricted until a majority of users have been updated with a fix,” Google said for CVE-2023-4863.
“We will also enforce restrictions if the bug exists in a third-party library that other projects similarly depend on but have not yet been resolved.”
Through BleepingComputer