Microsoft Releases Security Update for Open-Source Software Vulnerabilities
Microsoft have provided a security update around two exploited heap buffer overflow vulnerabilities
Summary
Microsoft have provided a security update around two exploited heap buffer overflow vulnerabilities
Affected platforms
The following platforms are known to be affected:
Threat details
Introduction
Microsoft has released a security update to address one critical vulnerability and one high vulnerability.
The critical vulnerability, tracked as CVE-2023-4863, is a heap buffer overflow vulnerability in libwebp. This vulnerability could allow an remote attacker to perform an out of bounds memory write via a crafted HTML page.
The high vulnerability, tracked as CVE-2023-5217, is a heap buffer overflow vulnerability in vp8 encoding in libvpx. This vulnerability could allow an remote attacker to exploit heap corruption via a crafted HTML page.
Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability.
Exploitation of CVE-2023-4863 and CVE-2023-5217
CVE-2023-4863 and CVE-2023-5217 are understood to be exploited in the wild.
Remediation advice
Affected organisations are encouraged to review Microsoft's advisory page and apply relevant updates.
Definitive source of threat updates
CVE Vulnerabilities
Last edited: 5 October 2023 2:25 pm