Microsoft Fixes Zero-Day Vulnerabilities Affecting Edge, Teams, Skype

The vulnerabilities affect a limited number of Microsoft products, as only Edge, Teams for Desktop, Skype for Desktop, and Webp Image Extensions required patching.

has released emergency for three of its key products: Edge, Teams and . A set of vulnerabilities provoked this action in two open-source libraries employed by these software. The first issue, labelled as CVE-2023-4863, involves a flaw due to a heap buffer overflow weakness in the WebP code library (libwebp). This library is essential for encoding and decoding images in the WebP  raster graphics file format developed by . The second identified flaw, given the code CVE-2023-5217, also involved heap buffer overflow weakness, but this time in the VP8 encoding of the libvpx video codec library.

Various Microsoft Products Affected

The vulnerabilities only affect a limited number of Microsoft products, as only Edge, Teams for Desktop, Skype for Desktop, and Webp Image Extensions required patching against CVE-2023-4863. For the second vulnerability, CVE-2023-5217, only needed an update. While the Microsoft Store will automatically update all affected Webp Image Extensions users, this security update will not be installed if Microsoft Store automatic updates are disabled.

Potential for Exploitation

Before the disclosure of the vulnerabilities earlier this month, both flaws were exploited in the wild. However, no information regarding attacks targeting the WebP flaw has been brought to light. Attackers, according to Citizen Lab, had used CVE-2023-5217 to deploy Cytrox's Predator spyware. As for CVE-2023-4863, while specific details on attacks are not known, the bug was reported by Apple Security Engineering and Architecture (SEAR) and Citizen Lab, both with impressive track records in finding and disclosing zero-day threats.

In an intriguing development related to the CVE-2023-4863 flaw, Google allocated a second CVE ID (CVE-2023-5129) to the libwebp security vulnerability and flagged it as a maximum severity bug, creating some confusion within the community. Google then withdrew the new CVE ID, stating that it was a duplicate of CVE-2023-4863.