Redmond Company refuses to comment on the possibility that its applications may be victims of two spyware programs that are spreading like wildfire.
In recent weeks, details have emerged Vulnerabilities in two code libraries Many applications, web and otherwise, use it on Windows and Mac OS. The libraries involved are libwebp And libvpx. I talked to you about the first in particular last week, since it was Google that realized the danger and intervened to correct the defect It seriously compromised Chrome’s security, whose electronic framework uses this library to display webp files, a modern image file format whose lightness lends itself well to web publishing; On the other hand, libvpx is a software library suitable for playing VP8 and VP9 video codecs on the web, two widely used formats due to their high compression factor.
Since these libraries are widely used on every computer that performs Internet-related tasks, There are several programs at risk of being hacked: Skype, Teams and Edge…just to mention Microsoft programs. However, Redmond has not yet announced whether these vulnerabilities have actually been exploited by spyware, nor whether they already have a way to verify this.
The vulnerabilities in the libwebp and libvpx libraries are of a type that is defined in a conventional language. Zero days: This category means that on the developer’s side, There is no possibility to recognize the danger and thus correct the problem in advance, but once you encounter the problem. The first to notice its presence were researchers from Google and Citizen Labs, a laboratory at the University of Toronto. The first reports immediately confirmed how dangerous these libraries were, as these libraries exist not only on computers, but also on smartphones, via browsers and/or applications of various types. Furthermore, cases have been verified where these vulnerabilities were exploited by malicious actors who infiltrated the systems of specific individuals via spyware.
The seriousness of this violation is that it leads to what is called: Zero-click attackThat is, electronic attacks that do not require concrete actions on the part of the user whose device has been hacked. In practice, attackers can simply exploit these vulnerabilities to infiltrate an unlucky person’s device without the latter doing anything in particular to inadvertently facilitate their entry. Citizen Lab has collected evidence of attacks of this type carried out on Apple devicesincluding a very recent iPhone model that is updated regularly.
apple He ran for cover as quickly as possible and was released last week a Security update for iOS and iPadOS Which fixed a bug regarding libvpx. Other countermeasures have been taken before Googlewhich released some Update patches since last month to stop the risk of libwebp leaking on Chrome, a path it followed shortly after as well Mozilla. In short, fortunately, big tech companies quickly realized the severity of the problem and took action to remedy it. And Microsoft?
The Redmond company recognized the severity of the vulnerabilities in question, which also relate to its applications, and issued a statement It stated that it had carried out the necessary repairs To make them safe again. This was announced in an official statement posted on Microsoft’s Security Response Center:
Microsoft is aware of security vulnerabilities in two open source programs. CVE-2023-4863 And CVE-2023-5217, and issued corrections. During our investigation, we discovered that these vulnerabilities affected distinct sets of our applications, which we detail below:
– Microsoft Edge
– Microsoft Teams for desktop
– Skype for desktop
– Webp Image Extensions (released on Windows and updated via Microsoft Store)
– Microsoft Edge – Microsoft’s response to open source vulnerabilities – CVE-2023-4863 and CVE-2023-5217 – October 2, 2023
Everything solved then? No, in the sense of that Microsoft “forgot to specify” key details, or whether it is aware of any cases of actual device exploitation using spyware that exploited these vulnerabilities. If so, the company should at least provide quantitative and qualitative data, specifying for example whether there are any countries particularly affected. Furthermore, if this is not the case, Microsoft should announce whether it has not found cases because they do not exist or because it does not have tools to check them. In this second case, the obvious problem would be that there may be an unknown number of infected devices that no one would be aware of, as long as they have not been compromised.
In short, even if the defenses are raised, The danger is that Microsoft has closed the fence after all the horses have already bolted. It would be appropriate to clarify these details as soon as possible, and it is certainly not of little importance.
“Incurable internet trailblazer. Troublemaker. Explorer. Professional pop culture nerd.”