Cyber Security Threat Summary:
Microsoft released emergency security updates for Edge, Teams, and Skype to patch two zero-day vulnerabilities in open-source libraries used by the three products. The first bug is a flaw tracked as CVE-2023-4863 and is caused by a heap buffer overflow weakness in the WebP code library (libwebp), whose impact ranges from crashes to arbitrary code execution. The second one (CVE-2023-5217) is also caused by heap buffer overflow weakness in the VP8 encoding of the libvpx video codec library, which could lead to app crashes or allow arbitrary code execution following successful exploitation” (Bleeping Computer, 2023).
The libwebp issue has been impacting a variety of products and services since a vulnerability was discovered a few weeks ago. The library is commonly used for encoding and decoding images in the WebP format, used by most modern web browsers including Safari, Firefox, Edge, Opera and Chrome.
The second vulnerability is found in libvpx, a library used for VP8 and VP9 video encoding and decoding by desktop video player software and online streaming services like Netflix, YouTube, and Amazon Prime Video.
"Microsoft is aware and has released patches associated with the two Open-Source Software security vulnerabilities, CVE-2023-4863 and CVE-2023-5217," the company revealed in a Microsoft Security Response Center advisory published Monday.
Security Officer Comments:
Both critical vulnerabilities impact a limited number of Microsoft products, specifically Microsoft Edge and Teams for Desktop. According to the company, the Microsoft Store will automatically update all impacted WebP Image Extensions. (The company does warn that the updates will not be applied if Microsoft Store automatic updates is disabled).
Both of these vulnerabilities were disclosed responsibly and reported to be actively exploited in the wild. In one case, attackers used the WebP flaw to install Cytrox’s Predator spyware on victims devices. Full details on the vulnerabilities have been withheld, as various vendors work to update their products with a fix.
Popular products using libwebp:
Popular container images, “collectively downloaded and deployed billions of times” (e.g., drupal, ngnix, perl, python, ruby, rust, wordpress) A variety of utilities that depend on libwebp The most popular web browers (Chrome, Firefox, Microsoft Edge, Opera, etc. Many Linux distributions (Debian, Ubuntu, Alpine, Gentoo, SUSE, etc.) The Electron framework, on which many cross-platform desktop applications are based
- Basecamp 3
- Beaker (web browser)
- Cryptocat (discontinued)
- Eclipse Theia
- GitHub Desktop
- Light Table
- Logitech Options +
- Microsoft Teams
- MongoDB Compass
- QQ (for macOS)
- Quasar Framework
- Symphony Chat
- Visual Studio Code
Some of the impacted vendors have released patches for the vulnerability, while other have yet to do so. We expect a steady roll out of patches to address this critical vulnerability.
Organizations may be able to use vulnerability scanners to automatically detect and remediate the vulnerability across their systems. Tom Sellers, principal research engineer at runZero, has also shared a shell command users can run on macOS to see which of their apps are based on which Electron version (versions 22.3.24, 24.8.3, 25.8.1, 26.2.1 and 27.0.0-beta.2 have the patch).
A list of the vendors that pushed the WebP 0day patched against the vulnerability are (not exhaustive):
- Google Chrome – Mac and Linux 116.0.5845.187 and Windows 116.0.5845.187/.188.
- Mozilla – Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2
- Brave Browser – version 1.57.64 (Chromium: 116.0.5845.188) [Android, iOS, Linux & Mac].
- Microsoft Edge – versions 109.0.1518.140, 116.0.1938.81, and 117.0.2045.31.
- Microsoft Teams for Desktop
- Skype for Desktop
- Webp Image Extensions (Released on Windows and updates through Microsoft Store)
- Tor Browser – version 12.5.4.
- Opera – version 102.0.4880.46.
- Vivaldi – version 6.2.3105.47.
- NixOS - Nix package manager