Microsoft has taken swift action to address zero-day vulnerabilities in two widely used open-source libraries that impact Skype, Teams, and the Edge browser. The company, however, has not disclosed whether these vulnerabilities were exploited by attackers.
Zero-Day Vulnerabilities in Open Source Libraries
Last month, researchers uncovered zero-day vulnerabilities in two open source libraries: webp and libvpx. These libraries play a crucial role in processing images and videos across browsers, applications, and smartphones. Google and Citizen Lab researchers revealed that these vulnerabilities were actively exploited by attackers to deploy spyware on victims’ devices.
Pegasus Software and Zero-Click Attacks
Citizen Lab reported that clients of the Israeli company NSO Group utilized Pegasus software to exploit a vulnerability in Apple’s software. Notably, this vulnerability in the webp library did not require any interaction with the device owner, making it a so-called “Zero-Click attack.” Major tech companies like Google and Mozilla have also taken steps to safeguard their users from these vulnerabilities.
Google’s Discovery and Apple’s Response
Google security researchers uncovered another vulnerability, this time in the libvpx library. They noted that this vulnerability was exploited by a commercial spyware vendor, although the vendor’s identity remained undisclosed. Both Apple and Google released security updates to address the libvpx vulnerability. Apple also tackled another vulnerability in its device kernel, affecting devices running software versions earlier than iOS 16.6.
Microsoft’s Response
Interestingly, Microsoft products were also affected by the libvpx vulnerability. Microsoft confirmed the presence of these vulnerabilities in the aforementioned libraries and promptly released updates. However, the software giant has refrained from commenting on whether its products were targeted in attacks.
NIX Solutions concludes that Microsoft’s swift response to these zero-day vulnerabilities underscores the importance of timely security updates to protect users from potential threats.