- By Ashish Singh
- Thu, 05 Oct 2023 12:16 PM (IST)
- Source:IANS
Microsoft responded quickly to two zero-day vulnerabilities found in open-source libraries, issuing critical security upgrades for major products such as Edge, Teams, and Skype. According to Google and Citizen Lab, these vulnerabilities, discovered last month, were actively exploited by threat actors to target individuals with spyware.
Webp and libvpx, two commonly used open-source libraries, were where the vulnerabilities were discovered. Microsoft immediately responded by issuing patches to close these holes in the webp and libvpx libraries.
READ: Daam Malware Alert! Here's How You Can Be Safe Against The Android Botnet And Other Threats
Microsoft confirmed the issue in a brief statement that read, "Microsoft is aware and has published updates associated with the two Open-Source Software security vulnerabilities, CVE-2023-4863 and CVE-2023-5217. We have fixed these issues in our goods after discovering via our analysis that they are specific to a subset of our products.
The security flaw affecting Microsoft Edge, Microsoft Teams for Desktop, Skype for Desktop, and Webp Image Extensions is fixed by the CVE-2023-4863 security patch. The CVE-2023-5217 patch, meanwhile, was released especially for Microsoft Edge.
Microsoft has not acknowledged whether its products have been actively exploited in the field despite these important improvements. If the business is able to identify such exploitation is still unknown.
Similar incidents involving the active exploitation of zero-day vulnerabilities by spyware suppliers of Google and Apple's respective products have recently been noted. A commercial spyware vendor has exploited a zero-day vulnerability in Chrome that Google recently patched. The Pegasus spyware, created by Israel-based NSO Group, was regularly used to infect iPhones until Apple patched two zero-day vulnerabilities. These flaws were discovered by Citizen Lab while looking into the devices of a civil society organisation based in Washington, D.C., and they were immediately submitted to Apple for patching. Due to the exploit chain, Apple released two CVEs (CVE-2023-41064 and CVE-2023-41061).
