Microsoft won’t say if its products were exploited by spyware zero-days

Must read

5 Types of Licenses for Financial Advisors

Financial advisors help individuals make informed decisions about their finances, but it’s also important to ensure that anyone you trust to manage your...

Legal Clash: Texas Crypto Firm Files Lawsuit Against US SEC Over Digital Asset Regulation

A Texas-based crypto company, Lejilex, along with the Crypto Freedom Alliance of Texas (CFAT), has filed a lawsuit against the US Securities and...

A Leading DeFi Bull Indicator? MetaMask Registers Over 30 Million In 5 Months

MetaMask monthly active users (MAUs) currently stand at over 30 million, a near 2X surge from around 19 million recorded in September 2023. ...

Bitcoin Bullish Signal: Inflows To HODLer Wallets Hit ATH

On-chain data shows the Bitcoin inflows going towards “accumulation wallets” have hit a new all-time high, a sign that could be bullish for...
Niamh Kavanagh
Niamh Kavanagh is a social media and digital marketing expert, CMO of Dream Machine Foundation, and storyteller with a purpose. She grew Dream Machine to 8M followers and edited videos that raised $750K for charity, earning attention from Oprah, Steve Harvey, and Khloe Kardashian.

Microsoft has released patches to fix zero-day vulnerabilities in two popular open-source libraries that affect several Microsoft products, including Skype, Teams, and its Edge browser. But Microsoft won’t say if those zero-days were exploited to target its products, or if the company knows either way.

The two vulnerabilities — known as zero-days since developers had no advance notice to fix the bugs — were discovered last month, and both bugs have been actively exploited to target individuals with spyware, according to researchers at Google and Citizen Lab.

The bugs were discovered in two common open-source libraries, webp and libvpx, which are widely integrated into browsers, apps and phones to process images and videos. The ubiquity of these libraries coupled with a warning from security researchers that the bugs were abused to plant spyware prompted a rush by tech companies, phone makers, and app developers to update the vulnerable libraries in their products.

In a brief statement Monday, Microsoft said it had rolled out fixes addressing the two vulnerabilities in the webp and libvpx libraries which it had integrated into its products, and acknowledged that exploits exist for both vulnerabilities.

When reached for comment, a Microsoft spokesperson declined to say if its products had been exploited in the wild, or if the company has the ability to know.

Security researchers at Citizen Lab said in early September that they had discovered evidence that NSO Group customers, using the company’s Pegasus spyware, had exploited a vulnerability found in the software of an up-to-date and fully-patched iPhone.

According to Citizen Lab, the bug in the vulnerable webp library that Apple integrates in its products was exploited without requiring any interaction from the device owner — a so-called zero-click attack. Apple rolled out security fixes for iPhones, iPads, Macs and Watches, and acknowledged the bug may have been exploited by unknown hackers.

Google, which relies on the webp library in Chrome and other products, also began patching the bug in early September to protect their users from an exploit that Google said it was aware “exists in the wild.” Mozilla, which makes the Firefox browser and Thunderbird email client, also patched the bug in its apps, noting that Mozilla was aware the bug had been exploited in other products.

Later in the month, Google security researchers said they found another vulnerability, this time in the libvpx library, which Google said had been abused by a commercial spyware vendor, which Google declined to name. Google rolled out an update to fix the vulnerable libvpx bug integrated into Chrome soon after.

Apple issued a security update on Wednesday to fix the libvpx bug in iPhones and iPads, along with another kernel vulnerability that Apple said exploited devices running software earlier than iOS 16.6.

As it turned out, the zero-day in libvpx also affected Microsoft products, though it remains unclear if hackers were able to exploit it against users of Microsoft products.

More articles

Latest article

5 Types of Licenses for Financial Advisors

Financial advisors help individuals make informed decisions about their finances, but it’s also important to ensure that anyone you trust to manage your...

Legal Clash: Texas Crypto Firm Files Lawsuit Against US SEC Over Digital Asset Regulation

A Texas-based crypto company, Lejilex, along with the Crypto Freedom Alliance of Texas (CFAT), has filed a lawsuit against the US Securities and...

A Leading DeFi Bull Indicator? MetaMask Registers Over 30 Million In 5 Months

MetaMask monthly active users (MAUs) currently stand at over 30 million, a near 2X surge from around 19 million recorded in September 2023. ...

Bitcoin Bullish Signal: Inflows To HODLer Wallets Hit ATH

On-chain data shows the Bitcoin inflows going towards “accumulation wallets” have hit a new all-time high, a sign that could be bullish for...

‘Avoid Ethereum (ETH) At All Costs’ Says Bitcoin Advocate – Here’s Why

Bitcoin supporter Fred Krueger has recently voiced concerns about Ethereum’s (ETH) fundamental trends and potential regulatory hurdles. Krueger’s remarks, shared in a post...