Microsoft's Silence on Zero-Day Exploits Raises Questions

Microsoft has taken steps to address zero-day vulnerabilities affecting some of its products

Microsoft has taken steps to address zero-day vulnerabilities affecting some of its products, such as Skype, Teams, and Edge browser, by releasing patches for two widely-used open source libraries. However, the tech giant has refrained from disclosing whether these zero-days were actively exploited to target its products or whether it possesses knowledge of such exploitation.

These two vulnerabilities, dubbed "zero-days" due to their sudden discovery without prior developer awareness, came to light last month. Researchers at Google and Citizen Lab reported that both vulnerabilities had been actively exploited to deliver spyware to targeted individuals.

The vulnerabilities were found within two common open source libraries: webp and libvpx. These libraries are extensively integrated into various browsers, apps, and mobile devices for processing images and videos. Given their widespread usage and warnings from security researchers about these vulnerabilities being exploited for spyware delivery, tech companies, phone manufacturers, and app developers rushed to update these libraries in their respective products.

In a brief statement on a Monday, Microsoft confirmed that it had released fixes for the two vulnerabilities found in the webp and libvpx libraries, which were integrated into its products. Microsoft also acknowledged the existence of exploits for both vulnerabilities.

However, when asked for further details, a Microsoft spokesperson declined to confirm whether its products had fallen victim to exploitation in the wild or if the company possessed the capability to detect such incidents.

In early September, Citizen Lab security researchers reported evidence of NSO Group customers leveraging the Pegasus spyware to exploit a vulnerability within the software of an up-to-date, fully patched iPhone. This vulnerability was associated with the webp library integrated into Apple's products and allowed for a "zero-click attack," requiring no interaction from the device owner. Apple promptly rolled out security fixes for iPhones, iPads, Macs, and Watches, acknowledging the potential exploitation by unknown hackers.

Google, which relies on the webp library in Chrome and other products, also began patching the vulnerability in early September to protect its users from an exploit confirmed to be "in the wild." Mozilla, the developer behind the Firefox browser and Thunderbird email client, also addressed the vulnerability in its apps, acknowledging its exploitation in other products.

Later in the same month, Google security researchers identified another vulnerability, this time in the libvpx library, which had been exploited by an undisclosed commercial spyware vendor. Google swiftly released an update to rectify the vulnerable libvpx bug integrated into Chrome.

Apple issued a security update, including a fix for the libvpx bug in iPhones and iPads, along with addressing another kernel vulnerability affecting devices running software versions earlier than iOS 16.6.

Interestingly, it was revealed that the zero-day within libvpx also impacted Microsoft products, though it remains uncertain whether hackers successfully exploited it against users of Microsoft products.