Microsoft patches zero-day flaws in Teams, Edge and Skype

News
By Sead Fadilpašić
published

Flaws in Microsoft tools are already being abused, so patch now

Microsoft logo
(Image credit: Shutterstock)

Two zero-day flaws in popular Microsoft products including Edge, Teams, and Skype have been discovered and patched, the company has confirmed.

Microsoft addressed CVE-2023-4863, and CVE-2023-5217, which affect the programs’ code libraries used to encode and decode images in the WebP format, and videos with VP8 encoding. The two libraries in question are used, the publication further adds, by a large number of popular software and services, including Safari, Firefox, Opera, various Android web browsers, 1Password, and Signal, but also Netflix, YouTube, and Amazon Prime Video. 

Should a threat actor abuse these flaws, they’d be able to run arbitrary code execution on vulnerable endpoints.

Automatic updates

"Microsoft is aware and has released patches associated with the two Open-Source Software security vulnerabilities, CVE-2023-4863 and CVE-2023-5217," a company advisory stated.

The Microsoft Store will update all affected Webp Image Extension users without user interaction, the company further explained, stressing that users should first make sure automatic updates are enabled. Otherwise, they will need to trigger the patch manually.

The flaws were apparently first observed by cybersecurity researchers from Apple’s Security Engineering and Architecture (SEAR), Google’s Threat Analysis Group (TAG), and Citizen Lab, a few days ago, with the teams saying they were being exploited in the wild. No further explanation was given at the time, but it’s worth mentioning that TAG and Citizen Lab are usually on the hunt for state-sponsored threat actors and the zero-days they leverage in attacks. 

As these are zero-days (flaws without a patch) in active exploitation, Google refrained from sharing details, not to motivate other threat actors to jump on the bandwagon, which is standard practice among researchers: "Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google said for CVE-2023-4863.

"We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven't yet fixed."

Via BleepingComputer

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.