Microsoft Edge, Teams get fixes for zero-days in open-source libraries

Microsoft released emergency security updates for Edge, Teams, and Skype to patch two zero-day vulnerabilities in open-source libraries used by the three products.

The first bug is a flaw tracked as CVE-2023-4863 and caused by a heap buffer overflow weakness in the WebP code library (libwebp), whose impact ranges from crashes to arbitrary code execution.

The second one (CVE-2023-5217) is also caused by heap buffer overflow weakness in the VP8 encoding of the libvpx video codec library, which could lead to app crashes or allow arbitrary code execution following successful exploitation.

The libwebp library is used by a large number of projects for encoding and decoding images in the WebP format, including modern web browsers like Safari, Mozilla Firefox, Microsoft Edge, Opera, and the native Android web browsers, as well as popular apps like 1Password and Signal.

libvpx is used for VP8 and VP9 video encoding and decoding by desktop video player software and online streaming services like Netflix, YouTube, and Amazon Prime Video.

"Microsoft is aware and has released patches associated with the two Open-Source Software security vulnerabilities, CVE-2023-4863 and CVE-2023-5217," Redmond revealed in a Microsoft Security Response Center advisory published Monday.

The two security flaws only affect a limited number of Microsoft products, with the company patching Microsoft Edge, Microsoft Teams for Desktop, Skype for Desktop, and Webp Image Extensions against CVE-2023-4863 and Microsoft Edge against CVE-2023-5217.

The Microsoft Store will automatically update all affected Webp Image Extensions users. However, the security update will not be installed if Microsoft Store automatic updates are disabled.

Exploited in spyware attacks

Both vulnerabilities were tagged as exploited in the wild when disclosed earlier this month, although there are no details on these attacks.

However, the bugs were reported by Apple Security Engineering and Architecture (SEAR), Google Threat Analysis Group (TAG), and the Citizen Lab, the last two research teams with a proven record of finding and disclosing zero-days exploited in targeted spyware attacks.

"Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google said when revealing that CVE-2023-4863 has been exploited in the wild.

"We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed."

Google assigned a second CVE ID (CVE-2023-5129) to the libwebp security vulnerability, tagging it as a maximum severity bug, which caused confusion within the cybersecurity community.

While a Google spokesperson did not reply to a request for comment, the new CVE ID was later rejected by MITRE for being a duplicate of CVE-2023-4863.

Update: Revised article to remove incorrect link between CVE-2023-5217 and Predator spyware attacks.