Tech Giants Race to Patch Zero-Day Vulnerabilities
No attachments for this post
Microsoft recently rolled out patches for two zero-day vulnerabilities in open-source libraries—webp and libvpx—affecting its products, including Skype, Teams, and Edge. However, it remains mum on whether these zero-days were exploited in its products or if they possess knowledge regarding such exploits.
These vulnerabilities, termed zero-days since developers had zero notice, were identified last month. Both have been leveraged to deploy spyware on unsuspecting users, as pointed out by researchers from Google and Citizen Lab.
The affected libraries, webp and libvpx, are integral to numerous browsers, apps, and phones, assisting in image and video processing. Their widespread use and the urgency from security experts about potential spyware deployment saw a scramble among tech companies to update these libraries.
Microsoft confirmed the fixes for both vulnerabilities but refrained from commenting on any real-world exploits. Meanwhile, Citizen Lab unveiled evidence in September of NSO Group's customers exploiting a flaw in an updated iPhone's software using Pegasus spyware.
Citizen Lab further revealed that the iPhone's integrated vulnerable webp library was susceptible to a zero-click attack, which requires no user interaction. Apple swiftly addressed this with security patches for its devices and conceded potential exploits by unidentified hackers.
Google, incorporating the webp library in Chrome, started addressing this vulnerability early September after acknowledging its real-world exploit. Similarly, Mozilla fixed this issue in its Firefox browser and Thunderbird email client, aware of its exploit in other products.
Later in the month, Google identified another vulnerability in the libvpx library, abused by an unnamed commercial spyware provider. Google, along with Apple, promptly issued updates to rectify the vulnerability. Apple also fixed another issue impacting devices with software older than iOS 16.6.
Though the libvpx zero-day impacted Microsoft products, it's uncertain if hackers exploited it against Microsoft's user base.
Comments on this post
No comments have been added for this post.
You must be logged in to make a comment.