Microsoft won’t say if its products were exploited by spyware zero-days

Microsoft has released patches to address zero-day vulnerabilities in two popular open-source libraries that impact several Microsoft products, including Skype, Teams, and its Edge browser. However, Microsoft has not disclosed whether these zero days were used to target its products or if the company is aware of such exploitation.

These two vulnerabilities, referred to as zero days because developers had no advance notice to address them, were discovered last month. Both vulnerabilities have been actively exploited to target individuals with spyware, as reported by researchers at Google and Citizen Lab.

These vulnerabilities were found in two widely-used open-source libraries, webp and libvpx, which are extensively integrated into browsers, apps, and phones for processing images and videos. Due to the widespread use of these libraries and the warning from security researchers that they were being exploited for spyware, various tech companies, phone manufacturers, and app developers rushed to update these vulnerable libraries in their products.

In a brief statement on Monday, Microsoft announced that it had released fixes for the two vulnerabilities in the webp and libvpx libraries integrated into its products. Microsoft also acknowledged the existence of exploits for both vulnerabilities.

Also Read | Protecting ML models will secure the supply chain, JFrog releases ML security features…
Microsoft is going to remove Wordpad from Windows after 30 years

When contacted for further details, a Microsoft spokesperson declined to confirm whether its products had been targeted in the wild or whether the company had the capability to determine such incidents.

In early September, security researchers at Citizen Lab reported evidence that customers of the NSO Group had exploited a vulnerability in the software of an up-to-date and fully patched iPhone using the Pegasus spyware. This particular vulnerability was found in the webp library that Apple integrates into its products and could be exploited without requiring any interaction from the device owner—a so-called zero-click attack. Apple promptly issued security fixes for iPhones, iPads, Macs, and Watches, acknowledging that the bug might have been exploited by unknown hackers.

Google, which relies on the webp library in Chrome and other products, also initiated patching for the bug in early September, acknowledging its awareness of its existence “in the wild.” Mozilla, the developer of the Firefox browser and Thunderbird email client, also addressed the bug in its apps, acknowledging its exploitation in other products.

Later in the month, Google’s security researchers discovered another vulnerability, this time in the libvpx library. Google revealed that a commercial spyware vendor had abused this vulnerability but did not disclose the vendor’s name. Google swiftly released an update to rectify the vulnerable libvpx bug integrated into Chrome.

Also Read | The FBI’s most-wanted Russian hacker Wazawka explains why he burned his passport

In response to zero-day vulnerabilities in open-source libraries webp and libvpx, Microsoft released patches for Skype, Teams, and Edge. These flaws were exploited for spyware in Apple and Google products, resulting in industry-wide updates. The company confirmed the exploits but did not say if their products were affected.