Microsoft Edge, Teams Get Fixes for Zero-Days in Open-Source Libraries
Microsoft has released emergency security updates for Edge, Teams, and Skype to address two zero-day vulnerabilities found in open-source libraries used by the products. The first vulnerability, CVE-2023-4863, is a heap buffer overflow flaw in the WebP code library, while the second vulnerability, CVE-2023-5217, is a heap buffer overflow flaw in the VP8 encoding of the libvpx video codec library. These vulnerabilities could result in crashes or allow arbitrary code execution. The flaws have been exploited in the wild, with one being used to deploy spyware. Microsoft has patched the affected products, and users are urged to update their software.