Microsoft has recently released patches to fix vulnerabilities in two popular open-source libraries used in many of its products, such as Skype, Teams, and the Edge internet browser. These vulnerabilities could have been exploited by zero-day spyware to steal data from infected users. Although Microsoft has attempted to promptly cover any security loopholes, the company has not made any official statements or explanations regarding whether these vulnerabilities have been exploited. There has been no indication whether the company is aware of any instances where spyware might have entered any of the applications. Similarly, Sony has also refrained from making statements in this regard.
Incredibly dangerous vulnerabilities
Both vulnerabilities were discovered about a month ago and were exploited through spyware programs, as explained by researchers from Google and Citizen Lab. These vulnerabilities exist in the webp and libvpx libraries, both integrated into browsers, applications, and smartphones to process various multimedia files. Due to their widespread use, these vulnerabilities compromised the security of multiple applications almost entirely. A warning was quickly issued, urging all potential targets to update their products and enhance security measures.
In a brief statement on October 2nd, Microsoft publicly announced that the zero-day vulnerabilities had been fixed and that a security layer had been integrated into all their products. Microsoft acknowledged that these vulnerabilities were indeed present in both libraries. However, when asked if these vulnerabilities had been exploited and if any systems had been attacked, the Microsoft representative declined to answer the question. To some extent, this decision makes sense, as alarming users at this point might not be helpful. However, on the other hand, it is crucial for the affected individuals (if any) to know the extent to which their security or sensitive information has been compromised.