CarderPlanet
Professional
Experts carefully hide how Microsoft's zero-day vulnerabilities are used in attacks.
Microsoft has released emergency security updates for Edge, Teams, and Skype to address two zero-day vulnerabilities in open libraries used by the products.
The libwebp library is used by a large number of projects for encoding and decoding images in WebP format, including modern web browsers such as Safari, Mozilla Firefox, Microsoft Edge, Opera, and embedded Android web browsers, as well as popular applications such as 1Password and Signal.
Libvpx is used to encode and decode VP8 and VP9 video formats in desktop video player software and online streaming services such as Netflix, YouTube, and Amazon Prime Video.
Two flaws affect only a limited number of Microsoft products, the company fixed vulnerabilities in Microsoft Edge, Microsoft Teams, Skype and the Webp image extension. The Microsoft Store will automatically install updates for all affected users of Webp image extensions. However, the security update will not be installed if Microsoft Store automatic updates are disabled.
The bugs were discovered by Apple Security Engineering and Architecture (SEAR), Google Threat Analysis Group (TAG), and Citizen Lab. Both vulnerabilities were marked as exploitable in real conditions, although details about the attacks are not reported. As stated in Google, access to details about errors and links may be restricted until most users receive corrections.
Recall that the CVE-2023-4863 bug was fixed by Google at the end of September . At first, the company attributed the case to Chrome errors, but then assigned a different identifier to the error (CVE-2023-5129) and a danger level of 10/10, designating the flaw as a critical security threat in the libwebp library.
According to a statement from Google, the company is aware that CVE-2023-5217 is actively exploited in real-world conditions. This vulnerability was fixed in Google Chrome version 117.0.5938.132 for Windows, Mac and Linux. In addition to the update, the browser will automatically check for new versions and install them after the next launch, so that all users receive the update.
Microsoft has released emergency security updates for Edge, Teams, and Skype to address two zero-day vulnerabilities in open libraries used by the products.
- Heap buffer overflow vulnerability CVE-2023-4863 (CVSS: 8.8) in the WebP code library (libwebp), the impact of which ranges from crashes to random code execution;
- The heap buffer overflow vulnerability CVE-2023-5217 (CVSS: 8.8) in the VP8 encoding of Google's libvpx video codec library leads to application crashes or arbitrary code execution after exploitation. It is noted that the error was used to install spyware.
The libwebp library is used by a large number of projects for encoding and decoding images in WebP format, including modern web browsers such as Safari, Mozilla Firefox, Microsoft Edge, Opera, and embedded Android web browsers, as well as popular applications such as 1Password and Signal.
Libvpx is used to encode and decode VP8 and VP9 video formats in desktop video player software and online streaming services such as Netflix, YouTube, and Amazon Prime Video.
Two flaws affect only a limited number of Microsoft products, the company fixed vulnerabilities in Microsoft Edge, Microsoft Teams, Skype and the Webp image extension. The Microsoft Store will automatically install updates for all affected users of Webp image extensions. However, the security update will not be installed if Microsoft Store automatic updates are disabled.
The bugs were discovered by Apple Security Engineering and Architecture (SEAR), Google Threat Analysis Group (TAG), and Citizen Lab. Both vulnerabilities were marked as exploitable in real conditions, although details about the attacks are not reported. As stated in Google, access to details about errors and links may be restricted until most users receive corrections.
Recall that the CVE-2023-4863 bug was fixed by Google at the end of September . At first, the company attributed the case to Chrome errors, but then assigned a different identifier to the error (CVE-2023-5129) and a danger level of 10/10, designating the flaw as a critical security threat in the libwebp library.
According to a statement from Google, the company is aware that CVE-2023-5217 is actively exploited in real-world conditions. This vulnerability was fixed in Google Chrome version 117.0.5938.132 for Windows, Mac and Linux. In addition to the update, the browser will automatically check for new versions and install them after the next launch, so that all users receive the update.
