Microsoft has released patches to fix zero-day vulnerabilities in two popular open source libraries

Microsoft has released patches to fix zero-day vulnerabilities in two popular open source libraries that affect a variety of products, including Skype, Teams and its Edge browser. But Microsoft would not say whether these zero-day vulnerabilities were exploited to attack its products or if the company was aware of any of them.

Researchers at Google and Citizen Lab say the two vulnerabilities, known as zero-days because developers were not notified in advance to fix them, were discovered last month and have been actively exploited to target individuals with spyware.

The bugs were discovered in two common open source libraries, webp and libvpx, which are widely integrated into browsers, apps and mobile phones to process images and videos. The ubiquity of these libraries, coupled with warnings from security researchers that the vulnerabilities are being abused to plant spyware, has prompted tech companies, phone manufacturers and app developers to rush to update the vulnerable libraries in their products.

Microsoft said in a brief statement on Monday that it had rolled out fixes for two vulnerabilities in the webp and libvpx libraries and integrated them into its products, acknowledging that both were vulnerable. When reached for comment, a Microsoft spokesperson declined to say whether its products had been exploited externally or whether the company had the ability to learn about the situation.

Security researchers at CitizenLab said in early September that they found evidence that customers of NSOGroup used the company's PegASUS spyware to exploit vulnerabilities found in the latest and fully patched iPhone software.

According to CitizenLab, a vulnerability in the vulnerable webp library that Apple integrates into its products can be exploited without any interaction from the device owner, a so-called zero-click attack. Apple rolled out security fixes for iPhones, iPads, Macs and Watches and acknowledged that the flaw may have been exploited by unknown hackers.

Google, which relies on the webp library in Chrome and other products, also began patching the bug in early September to protect its users from a vulnerability that Google said it was aware of "externally." Mozilla, which runs the Firefox browser and Thunderbird email client, has also patched the bug in its applications, noting that Mozilla is aware that the bug has been exploited in other products.

Later this month, Google security researchers said they had discovered another vulnerability, this time in the libvpx library, which Google said had been abused by a commercial spyware vendor, which Google declined to name. Google quickly rolled out an update to fix a vulnerable libvpx bug integrated into Chrome.

Apple on Wednesday released a security update that fixes a libvpx bug in iPhones and iPads, as well as another kernel vulnerability that Apple said exploited devices running software prior to iOS 16.6.

It turns out that the zero-day vulnerability in libvpx also affects Microsoft products, but it's unclear whether hackers were able to exploit it to attack users of the company's products.