Microsoft has rolled out urgent security updates for its Edge, Teams, and Skype applications in response to two zero-day vulnerabilities discovered in open-source libraries. The first vulnerability, known as CVE-2023-4863, is a heap buffer overflow weakness in the WebP code library (libwebp). The flaw's effects range from causing crashes to enabling arbitrary code execution. The second vulnerability, CVE-2023-5217, is also a heap buffer overflow weakness, but in the VP8 encoding of the libvpx video codec library. This could also lead to app crashes or allow arbitrary code execution if successfully exploited.
The libwebp library is utilized by numerous projects for encoding and decoding images in the WebP format. This includes modern web browsers like Safari, Mozilla Firefox, Microsoft Edge, Opera, and native Android web browsers, as well as popular apps like 1Password and Signal. The libvpx library is used for VP8 and VP9 video encoding and decoding by desktop video player software and online streaming services like Netflix, YouTube, and Amazon Prime Video.
Microsoft has acknowledged and released patches associated with these two open-source software security vulnerabilities, as stated in a Microsoft Security Response Center advisory. The security flaws only affect a limited number of Microsoft products. The company has patched Microsoft Edge, Microsoft Teams for Desktop, Skype for Desktop, and Webp Image Extensions against CVE-2023-4863, and Microsoft Edge against CVE-2023-5217. The Microsoft Store will automatically update all affected Webp Image Extensions users unless Microsoft Store automatic updates are disabled.
Both vulnerabilities were tagged as being exploited in the wild when they were disclosed earlier this month. While no information is available on attacks targeting the WebP flaw, Google's Threat Analysis Group (TAG) and Citizen Lab researchers revealed that attackers used CVE-2023-5217 to deploy Cytrox's Predator spyware. Google has stated, "Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed."
Although there are no details on attacks exploiting CVE-2023-4863, the bug was reported by Apple Security Engineering and Architecture (SEAR) and the Citizen Lab, both of which have a proven track record of discovering and disclosing zero-days exploited in targeted spyware attacks. Google assigned a second CVE ID, CVE-2023-5129, to the libwebp security vulnerability, tagging it as a maximum severity bug, which caused confusion within the cybersecurity community. Google later withdrew the new CVE ID, stating it was a duplicate of CVE-2023-4863.