Multi-Microsoft products are vulnerable to CVE-2023-4863 and CVE-2023-5217 zero-day vulnerabilities

Microsoft zero-day vulnerabilities

In the rapidly evolving landscape of cyber threats, zero-day vulnerabilities serve as hidden trapdoors, allowing cybercriminals a secret entrance. Microsoft, the tech behemoth, has recently turned the spotlight on two significant zero-day vulnerabilities, CVE-2023-4863 and CVE-2023-5217, both of which have impacted a subset of its products.

Microsoft zero-day vulnerabilities

CVE-2023-4863: A Critical Vulnerability

Affected Products:

  • Microsoft Edge
  • Microsoft Teams for Desktop
  • Skype for Desktop
  • Webp Image Extensions (Available on Windows and updated through Microsoft Store)

The first flaw, termed as critical, stems from a heap buffer overflow weakness in the WebP code library (libwebp). The consequences of this vulnerability vary, ranging from abrupt system crashes to the more sinister arbitrary code execution. In simpler terms, attackers can potentially take control of the affected system, creating a realm of cyber nightmares.

This specific vulnerability was highlighted by Apple Security Engineering and Architecture (SEAR) in collaboration with The Citizen Lab at The University of Toronto’s Munk School. The discovery was publicly announced on September 6, serving as a critical reminder of the interconnected nature of today’s digital world, where vulnerabilities in one software can ripple across many.

CVE-2023-5217: A High-Severity Vulnerability

Affected Product:

  • Microsoft Edge

The second flaw, marked as high severity, is linked to a heap buffer overflow weakness discovered in the VP8 encoding of the open-source libvpx video codec library. Much like its predecessor, its repercussions stretch from mere application crashes to arbitrary code execution.

Google Threat Analysis Group’s (TAG) security researcher, Clément Lecigne, brought this vulnerability to the fore on September 25. Maddie Stone, another expert from Google TAG, dropped a bombshell with the revelation that this particular flaw had been exploited to install spyware.

While Google, Microsoft, and Mozilla confirmed that two zero-day vulnerabilities, CVE-2023-4863 and CVE-2023-5217 have been maliciously exploited in the wild, specifics surrounding these attacks remain under wraps.

Microsoft has risen to the challenge by promptly patching the mentioned vulnerabilities. Yet, these events stand as a poignant reminder of the importance of staying updated in this digital age. Regular software updates and vigilance are the first line of defense against such unpredictable threats.

If you are concerned about zero-day vulnerabilities, you can also consider using a sandboxing solution. Sandboxing solutions create isolated environments in which you can run untrusted applications. This can help to prevent malicious code from executing on your system.