Microsoft patches zero-day flaws in Teams, Edge and Skype

Home / QSOL IT News / edge / Microsoft patches zero-day flaws in Teams, Edge and Skype

Two flaws in popular products including Edge, Teams, and Skype have been discovered and patched, the company has confirmed.

Microsoft addressed CVE-2023-4863, and CVE-2023-5217, which affect the programs’ code libraries used to encode and decode images in the WebP format, and with VP8 encoding. The two libraries in question are used, the publication further adds, by a large number of popular software and services, including Safari, Firefox, Opera, various Android web browsers, 1Password, and Signal, but also Netflix, YouTube, and Amazon Prime Video. 

Should a abuse these flaws, they’d be able to run arbitrary code execution on vulnerable endpoints.

Automatic updates

“Microsoft is aware and has released patches associated with the two Open-Source Software security vulnerabilities, CVE-2023-4863 and CVE-2023-5217,” a company advisory stated.

The Microsoft Store will update all affected Webp Extension users without user interaction, the company further explained, stressing that users should first make sure automatic updates are enabled. Otherwise, they will need to trigger the patch manually.

The flaws were apparently first observed by cybersecurity researchers from Apple’s Security Engineering and Architecture (SEAR), ‘s Threat Analysis Group (TAG), and Citizen Lab, a few days ago, with the teams saying they were being in the wild. No further explanation was given at the , but it’s worth mentioning that TAG and Citizen Lab are usually on the hunt for state-sponsored threat actors and the zero-days they leverage in attacks. 

As these are zero-days (flaws without a patch) in active exploitation, Google refrained from details, not to motivate other threat actors to jump on the bandwagon, which is standard practice among researchers: “Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google said for CVE-2023-4863.

“We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.”

Via BleepingComputer

More from Pro

Source link

Related Post

Pioneers in Tech: The chance to own the

If you have a couple of hundred thousand dollars to spare, you currently have the opportunity to purchase the only

Ada Lovelace, analytical engine, Bonhams, books, daguerreotypes, Featured, machine, Pioneers in Tech, STEM, Syndicated, Tech Insight, Tuesday

Ninjas, Cloud PCs, and Security

I almost made a comment about not realizing we’re in the middle of June, but then I remembered I don’t

Cloud, firewall, Hardware, intune, lot, Microsoft, Security, Syndicated, Windows 365

Ninjas, Cloud PCs, and Security

I almost made a comment about not realizing we’re in the middle of June, but then I remembered I don’t

Cloud, firewall, intune, lot, Security, Syndicated, Windows 365

Survey shows growing dependence on cloud partners

A survey of 1,800 senior IT decision-makers finds that more than half (52 percent) of respondents said their organization relies

Better Business, cloud computing, cloud partners, decision, Featured, makers, MSP, MSPs, professional services, Security, survey, Syndicated, Technology