Microsoft releases patches for critical vulnerabilities

04.10.23

Threat Intelligence Alerts

Microsoft has released emergency patches to address critical security vulnerabilities in some products, including the Edge browser, Teams chat app, and Skype communications software.

The vulnerabilities exist in two open-source code libraries – WebP and VP8 – which are used for handling images and video encoding/decoding, respectively. Many major software vendors use these libraries in their products.

The WebP vulnerability, tracked as CVE-2023-4863, is a heap buffer overflow issue that could enable remote code execution if exploited. In other words, visiting a web page or opening a file containing a malicious image could allow hackers to run malicious code on the target device.

The VP8 bug, CVE-2023-5217, is a heap overflow that could result in denial of service crashes or even remote code execution in products using the library.

Microsoft has released patches for the WebP flaw in Edge, Teams, Skype desktop, and the WebP Image Extensions in the Microsoft Store. The VP8 issue was addressed in updates for Edge only.

Security teams at Apple, Google and Citizen Lab reported these zero-day flaws. The researchers indicated the bugs were being actively exploited, though details of these attacks are not yet known. Some of the reporting organisations have previously uncovered exploits used in targeted spyware campaigns.

Administrators and users should ensure they apply the latest updates to Microsoft products using the vulnerable libraries to mitigate potential attacks leveraging these flaws. Prompt patching is recommended, as the bugs are reportedly used in active attacks.