Microsoft has released emergency security updates for Edge, Teams, and Skype to address two zero-day vulnerabilities in open-source libraries used by these products. The first vulnerability, CVE-2023-4863, is a heap buffer overflow weakness in the WebP code library (libwebp). This vulnerability can result in crashes or arbitrary code execution. The second vulnerability, CVE-2023-5217, is also a heap buffer overflow weakness, but this time in the VP8 encoding of the libvpx video codec library. Exploiting this vulnerability can lead to app crashes or allow arbitrary code execution.
The libwebp library is widely used for encoding and decoding images in the WebP format, including in popular web browsers like Safari, Mozilla Firefox, Microsoft Edge, and Opera, as well as in apps like 1Password and Signal. The libvpx library, on the other hand, is used for VP8 and VP9 video encoding and decoding by desktop video players and streaming services like Netflix, YouTube, and Amazon Prime Video.
Microsoft has already patched the affected products against these vulnerabilities. The Microsoft Store will automatically update all affected users of the Webp Image Extensions. However, if automatic updates are disabled, the security update will not be installed.
Both vulnerabilities were reported to have been exploited in the wild, although the specific details of these attacks are not yet known. The bugs were discovered by Apple Security Engineering and Architecture (SEAR), Google Threat Analysis Group (TAG), and the Citizen Lab, all of which have a track record of finding and disclosing zero-day vulnerabilities used in targeted spyware attacks.
Google initially assigned a second CVE ID (CVE-2023-5129) to the libwebp vulnerability, but it was later rejected by MITRE as a duplicate of CVE-2023-4863.
