Microsoft patches zero-day flaws in Teams, Edge and Skype

Flaws in Microsoft tools are already being abused, so patch now

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Two zero-day flaws in popularMicrosoftproducts including Edge, Teams, and Skype have been discovered and patched, the company has confirmed.

Microsoft addressed CVE-2023-4863, and CVE-2023-5217, which affect the programs’ code libraries used to encode and decode images in the WebP format, and videos with VP8 encoding. The two libraries in question are used, the publication further adds, by a large number of popular software and services, includingSafari, Firefox, Opera, various Android web browsers, 1Password, and Signal, but also Netflix,YouTube, andAmazonPrime Video.

Should a threat actor abuse these flaws, they’d be able to run arbitrary code execution on vulnerableendpoints.

Automatic updates

“Microsoft is aware and has released patches associated with the two Open-Source Software security vulnerabilities, CVE-2023-4863 and CVE-2023-5217,” a company advisory stated.

The Microsoft Store will update all affected Webp Image Extension users without user interaction, the company further explained, stressing that users should first make sure automatic updates are enabled. Otherwise, they will need to trigger the patch manually.

The flaws were apparently first observed by cybersecurity researchers fromApple’s Security Engineering and Architecture (SEAR),Google’s Threat Analysis Group (TAG), and Citizen Lab, a few days ago, with the teams saying they were being exploited in the wild. No further explanation was given at the time, but it’s worth mentioning that TAG and Citizen Lab are usually on the hunt for state-sponsored threat actors and the zero-days they leverage in attacks.

As these are zero-days (flaws without a patch) in active exploitation, Google refrained from sharing details, not to motivate other threat actors to jump on the bandwagon, which is standard practice among researchers: “Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google said for CVE-2023-4863.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.”

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Arcane season 2 act 1 ending explained: who is [SPOILER], when is episode 4 coming out, and your biggest questions answered