bleepingcomputer[.]com/news/microsoft/microsoft-edge-teams-get-fixes-for-zero-days-in-open-source-libraries/
Open source code libraries are used by quite a lot of software, including Edge, Teams, Skype, & Windows Webp Image Extensions, the apps Microsoft just patched. The Windows Store is supposed to automatically update whatever apps you've got installed, assuming you've got auto update turned on, but the store can certainly take its time doing so -- this PC's been on for a few hours, & when I checked the Webp Image Extensions update wasn't yet listed as pending, though it did show up & update when I clicked to check for updates. You can expect updates for other web browsers too -- just checked and Opera had an update available for example.
The first bug is a flaw tracked as CVE-2023-4863 and caused by a heap buffer overflow weakness in the WebP code library (libwebp), whose impact ranges from crashes to arbitrary code execution.The second one (CVE-2023-5217) is also caused by heap buffer overflow weakness in the VP8 encoding of the libvpx video codec library, which could lead to app crashes or allow arbitrary code execution following successful exploitation.
The libwebp library is used by a large number of projects for encoding and decoding images in the WebP format, including modern web browsers like Safari, Mozilla Firefox, Microsoft Edge, Opera, and the native Android web browsers, as well as popular apps like 1Password and Signal.
libvpx is used for VP8 and VP9 video encoding and decoding by desktop video player software and online streaming services like Netflix, YouTube, and Amazon Prime Video.
Both vulnerabilities were tagged as exploited in the wild when disclosed earlier this month. While there's no info on attacks targeting the WebP flaw, the Google Threat Analysis Group (TAG) and Citizen Lab researchers revealed that attackers used CVE-2023-5217 to deploy Cytrox's Predator spyware."Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google said when first revealing that CVE-2023-4863 has been exploited in the wild.
"We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed."
Even though there are no details on CVE-2023-4863 attacks, the bug was reported by Apple Security Engineering and Architecture (SEAR) and the Citizen Lab, the latter with a proven record of finding and disclosing zero-days exploited in targeted spyware attacks.
Google assigned a second CVE ID (CVE-2023-5129) to the libwebp security vulnerability, tagging it as a maximum severity bug, which caused confusion within the cybersecurity community.
While a Google spokesperson did not reply to a request for comment, the new CVE ID was later rejected by MITRE for being a duplicate of CVE-2023-4863.