Open-source library zero-days addressed by Microsoft

Microsoft's Teams, Edge, and Skype have been given emergency updates to address zero-day vulnerabilities impacting the WebP code library or lilwebp, tracked as CVE-2023-4863, and the libvpx video codec library, tracked as CVE-2023-5217, both of which could be exploited to achieve arbitrary code execution, reports BleepingComputer. Microsoft Teams for Desktop, Edge, Skype for Desktop, and Webp Image Extensions are impacted by CVE-2023-4863, while only Microsoft Edge is affected by CVE-2023-5217, according to Microsoft, which noted that impacted Webp Image Extensions users will receive an automatic update although such updates should be enabled in the Microsoft Store. Active exploitation of both vulnerabilities was reported by Google Threat Analysis Group, Apple Security Engineering and Architecture, and Citizen Lab researchers although details regarding the attacks have not been disclosed. "Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven't yet fixed," said Google.