Microsoft recently patched a number of zero-day vulnerabilities in its Edge browser, MS Teams for Desktop and Skype for Desktop, among others. These are vulnerabilities in the open-source libraries that the solutions use.
The first bug Microsoft has addressed has been labelled CVE-2023-4863. This vulnerability refers to a heap buffer overflow in the WebP code library (libwebp) that can cause crashes, as well as the running of arbitrary code, among other things.
The libwebp library is primarily used to encode and decode images in the WebP format that modern browsers increasingly use. Password managers also use this protocol more frequently.
The second patched bug for all three Microsoft solutions concerns CVE-2023-5217. This vulnerability is also a heap buffer overflow in the VP8 encoding of the libvpx video codec library. This vulnerability too can lead to crashes of the affected applications or the ability to run arbitrary code.
Libvpx V8 and V9 video encoding and decoding is used by desktop video player software and by online streaming services.
Edge, Teams and Skype
The vulnerabilities affect a limited number of solutions, according to the tech giant. More specifically, these include Microsoft Edge, Microsoft Teams for Desktop, Skype for Desktop and Webp Image Extensions.
All Webp Image Extensions users will be provided an update through the Microsoft Store. However, users must have the automatic updates feature turned on to do so.
Also read: Latest Microsoft Patch Tuesday fixes two actively abused exploits