Microsoft has released patches for zero-day vulnerabilities in two widely used open source libraries, webp and libvpx. These vulnerabilities impact several Microsoft products, including Skype, Teams, and Edge browser. The bugs were actively exploited by spyware companies to target individuals, according to researchers at Google and Citizen Lab. The vulnerabilities allow attackers to infiltrate devices and plant spyware without requiring any interaction from the device owner, making them particularly dangerous. In response, tech companies, phone makers, and app developers have rushed to update their products with the fixed libraries.
The webp and libvpx libraries are integrated into browsers, apps, and phones to process images and videos. Given their ubiquity, the security researchers’ warnings about the exploitation of these vulnerabilities prompted immediate action. Microsoft has deployed fixes for the vulnerabilities in its products but has not disclosed if its products were targeted or if it has knowledge of any exploitation. Apple and Google have also released security updates to protect their users from potential exploits. The discovery of these vulnerabilities and their exploitation highlights the need for ongoing vigilance and prompt patching to ensure the security of open source libraries.
The vulnerabilities in the webp and libvpx libraries have raised concerns about the potential widespread impact on various platforms and applications. The fact that the bugs were actively exploited by spyware vendors emphasizes the urgency of addressing them. The affected libraries are widely integrated into popular software and devices, making them vulnerable to attacks. While Microsoft, Apple, and Google have responded by issuing patches, the article does not clarify if Microsoft products were actually exploited. Nevertheless, the incident serves as a reminder of the importance of regularly updating software and promptly addressing security vulnerabilities to protect against potential threats.
