Microsoft Edge and Teams get zero-day fixes in open source libraries | spcilvly

microsoft

Microsoft released emergency security updates for Edge, Teams, and Skype to patch two zero-day vulnerabilities in open source libraries used by the three products.

The first bug is a flaw identified as CVE-2023-4863 and caused by a buffer overflow weakness in the WebP code library (libwebp), the impact of which ranges from crashes to arbitrary code execution.

The second (CVE-2023-5217) is also caused by a buffer overflow weakness in the VP8 encoding of the libvpx video codec library, which could cause application crashes or allow arbitrary code execution after a successful exploitation.

The libwebp library is used by a large number of projects to encode and decode images in WebP format, including modern web browsers such as Safari, Mozilla Firefox, Microsoft Edge, Opera, and native Android web browsers, as well as popular applications such as 1Password. and Signal.

libvpx is used for encoding and decoding of VP8 and VP9 videos using desktop video player software and online streaming services such as Netflix, YouTube, and Amazon Prime Video.

“Microsoft is aware of and has released patches associated with the two open source software security vulnerabilities, CVE-2023-4863 and CVE-2023-5217,” Redmond revealed in a Microsoft Security Response Center advisory published Monday. .

The two security flaws only affect a limited number of Microsoft products, and the company patched Microsoft Edge, Microsoft Teams for desktop, Skype for desktop, and Webp Image Extensions against CVE-2023-4863 and Microsoft Edge against CVE-2023-5217 .

Microsoft Store will automatically update all affected Webp Image Extensions users. However, the security update will not be installed if automatic updates from the Microsoft Store are disabled.

Exploited in spyware attacks

Both vulnerabilities were labeled as exploited in the wild when they were disclosed earlier this month, although there are no details about these attacks.

However, the bugs were reported by Apple Security Engineering and Architecture (SEAR), Google Threat Analysis Group (TAG), and Citizen Lab, the latter two research teams with a proven track record of finding and revealing zero-day vulnerabilities in software attacks. targeted spy. .

“Access to the bug details and links may remain restricted until the majority of users are updated with a fix,” Google said in revealing that CVE-2023-4863 has been exploited in the wild.

“We will also maintain restrictions if the bug exists in a third-party library that other projects depend on in a similar way, but which has not yet been fixed.”

Google assigned a second CVE ID (CVE-2023-5129) to the libwebp security vulnerability, labeling it as a maximum severity bug, which caused confusion within the cybersecurity community.

While a Google spokesperson did not respond to a request for comment, MITER later rejected the new CVE ID as being a duplicate of CVE-2023-4863.

Update: Revised article to remove incorrect link between CVE-2023-5217 and Predator spyware attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *