Microsoft patches zero-day flaws in Teams, Edge and Skype

News
By published

Flaws in Microsoft tools are already being abused, so patch now

Microsoft logo
(Image credit: Shutterstock)

Two zero-day flaws in popular Microsoft products including Edge, Teams, and Skype have been discovered and patched, the company has confirmed.

Microsoft addressed CVE-2023-4863, and CVE-2023-5217, which affect the programs’ code libraries used to encode and decode images in the WebP format, and videos with VP8 encoding. The two libraries in question are used, the publication further adds, by a large number of popular software and services, including Safari, Firefox, Opera, various Android web browsers, 1Password, and Signal, but also Netflix, YouTube, and Amazon Prime Video. 

Should a threat actor abuse these flaws, they’d be able to run arbitrary code execution on vulnerable endpoints.

Automatic updates

"Microsoft is aware and has released patches associated with the two Open-Source Software security vulnerabilities, CVE-2023-4863 and CVE-2023-5217," a company advisory stated.

The Microsoft Store will update all affected Webp Image Extension users without user interaction, the company further explained, stressing that users should first make sure automatic updates are enabled. Otherwise, they will need to trigger the patch manually.

The flaws were apparently first observed by cybersecurity researchers from Apple’s Security Engineering and Architecture (SEAR), Google’s Threat Analysis Group (TAG), and Citizen Lab, a few days ago, with the teams saying they were being exploited in the wild. No further explanation was given at the time, but it’s worth mentioning that TAG and Citizen Lab are usually on the hunt for state-sponsored threat actors and the zero-days they leverage in attacks. 

As these are zero-days (flaws without a patch) in active exploitation, Google refrained from sharing details, not to motivate other threat actors to jump on the bandwagon, which is standard practice among researchers: "Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google said for CVE-2023-4863.

"We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven't yet fixed."

Via BleepingComputer

More from TechRadar Pro

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Representational image of a cybercriminal
Microsoft just patched a host of worrying security issues, so update now
A hacker wearing a hoodie sitting at a computer, his face hidden.
Microsoft patches three worrying security flaws in its latest critical update, so update now
Representational image depecting cybersecurity protection
Hackers are breaking SonicWall products to target business networks
Apple's new "Share Item Location" feature for AirTags.
Apple security alert - zero-day patched, so update your devices now
The best free firewall
Microsoft fixes Power Pages security flaw, tells users to be on their guard
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
Latest in Security
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
Code Skull
This dangerous new ransomware is hitting Windows, ARM, ESXi systems
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Latest in News
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
Monster Hunter Wilds
Monster Hunter Wilds Title Update 1 launches in early April, adding new monsters and some of the best-looking armor sets I need to add to my collection
More about security
cybersecurity

Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak

A major Keenetic router data leak could put a million households at risk
HDD

Seagate teams with Nvidia to build an NVMe hard drive proof of concept, more than 3 years after its last effort
See more latest
Most Popular
HDD
Seagate teams with Nvidia to build an NVMe hard drive proof of concept, more than 3 years after its last effort
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
Monster Hunter Wilds
Monster Hunter Wilds Title Update 1 launches in early April, adding new monsters and some of the best-looking armor sets I need to add to my collection
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Sony WF-C710N in blue glass on beige background
Sony WF-C710 earbuds land, and I think they'll be the 2025 budget buds to beat
The RIG M2 Streamstar attached to a boom arm.
The RIG M2 Streamstar has the world's first Bluetooth audio gateway in a wired gaming microphone