Microsoft has released emergency security updates for three of its key products: Edge, Teams and Skype. A set of zero-day vulnerabilities provoked this action in two open-source libraries employed by these software. The first issue, labelled as CVE-2023-4863, involves a flaw due to a heap buffer overflow weakness in the WebP code library (libwebp). This library is essential for encoding and decoding images in the WebP raster graphics file format developed by Google. The second identified flaw, given the code CVE-2023-5217, also involved heap buffer overflow weakness, but this time in the VP8 encoding of the libvpx video codec library.
Various Microsoft Products Affected
The vulnerabilities only affect a limited number of Microsoft products, as only Edge, Teams for Desktop, Skype for Desktop, and Webp Image Extensions required patching against CVE-2023-4863. For the second vulnerability, CVE-2023-5217, only Microsoft Edge needed an update. While the Microsoft Store will automatically update all affected Webp Image Extensions users, this security update will not be installed if Microsoft Store automatic updates are disabled.
Potential for Exploitation
Before the disclosure of the vulnerabilities earlier this month, both flaws were exploited in the wild. However, no information regarding attacks targeting the WebP flaw has been brought to light. Attackers, according to Citizen Lab, had used CVE-2023-5217 to deploy Cytrox's Predator spyware. As for CVE-2023-4863, while specific details on attacks are not known, the bug was reported by Apple Security Engineering and Architecture (SEAR) and Citizen Lab, both with impressive track records in finding and disclosing zero-day threats.
In an intriguing development related to the CVE-2023-4863 flaw, Google allocated a second CVE ID (CVE-2023-5129) to the libwebp security vulnerability and flagged it as a maximum severity bug, creating some confusion within the cybersecurity community. Google then withdrew the new CVE ID, stating that it was a duplicate of CVE-2023-4863.