Microsoft has released patches to address zero-day vulnerabilities found in two open-source libraries, webp and libvpx. These vulnerabilities have affected multiple Microsoft products, including Skype, Teams, and its Edge browser. However, Microsoft has not disclosed whether these zero-days were exploited to target its products, or if they have any knowledge of such exploits.
Key Takeaway
Microsoft has patched zero-day vulnerabilities in the webp and libvpx libraries, but is yet to confirm if their products were targeted by exploits. These vulnerabilities have been actively exploited to distribute spyware. Other tech companies, such as Apple and Google, have acknowledged and addressed the exploitation of these vulnerabilities within their products, emphasizing the importance of promptly installing security updates.
Background: Zero-Day Vulnerabilities and Exploitation
A zero-day vulnerability refers to a bug that developers had no advance notice of, resulting in an absence of fixes or patches to mitigate the issue. Last month, researchers at Google and Citizen Lab revealed the discovery of two such vulnerabilities, which had been actively exploited to distribute spyware.
The vulnerabilities were located in the widely used webp and libvpx libraries, which are integral to various browsers, apps, and phones for processing images and videos. Due to their prevalence and the warning from security researchers regarding their exploitation, tech companies, phone manufacturers, and app developers rushed to update the vulnerable libraries within their products.
Microsoft’s Response
Microsoft has released fixes to address the two vulnerabilities found in the webp and libvpx libraries, which were incorporated into their products. The company has acknowledged the existence of exploits for both vulnerabilities. However, they have not provided any information on whether their products were targeted in these exploits or if they possess knowledge of such incidents.
When approached for comment, a Microsoft spokesperson declined to confirm whether their products had been exploited or if they have the capability to identify such attacks.
Implications: Exploitation by Spyware and Other Companies’ Responses
Security researchers at Citizen Lab reported in early September that NSO Group customers had used the Pegasus spyware to exploit a vulnerability in up-to-date and fully-patched iPhones. Citizen Lab also identified that the vulnerable webp library, integrated into Apple’s products, was exploited through a zero-click attack, requiring no interaction from the device owner. Apple subsequently released security fixes for its devices.
Google, relying on the webp library in its Chrome browser and other products, began patching the bug in September, acknowledging the exploit’s existence in the wild. Mozilla, the developer of Firefox and Thunderbird, also addressed the bug in its applications and revealed awareness of its exploitation in other products.
Google’s security researchers later discovered another vulnerability in the libvpx library, which they reported had been abused by a commercial spyware vendor, though the specific vendor was not disclosed. Google promptly released an update to fix the vulnerable libvpx bug in Chrome.
On Wednesday, Apple issued a security update addressing the libvpx bug in iPhones and iPads, along with another kernel vulnerability affecting devices running software earlier than iOS 16.6. It was subsequently revealed that the libvpx zero-day vulnerability also impacted Microsoft products, although it is currently unclear if hackers successfully exploited it against Microsoft users.
