Microsoft Won't Say If Its Products Were Exploited By Spyware Zero-Days

Microsoft has released patches to fix zero-day vulnerabilities in two popular open source libraries that affect several Microsoft products, including Skype, Teams and its Edge browser. But Microsoft won't say if those zero-days were exploited to target its products, or if the company knows either way. From a report: The two vulnerabilities -- known as zero-days because developers had no advance notice to fix the bugs -- were discovered last month, and both bugs have been actively exploited to target individuals with spyware, according to researchers at Google and Citizen Lab. The bugs were discovered in two common open source libraries, webp and libvpx, which are widely integrated into browsers, apps and phones to process images and videos. The ubiquity of these libraries coupled with a warning from security researchers that the bugs were abused to plant spyware prompted a rush by tech companies, phone makers and app developers to update the vulnerable libraries in their products.

In a brief statement Monday, Microsoft said it had rolled out fixes addressing the two vulnerabilities in the webp and libvpx libraries which it had integrated into its products, and acknowledged that exploits exist for both vulnerabilities. When reached for comment, a Microsoft spokesperson declined to say if its products had been exploited in the wild, or if the company has the ability to know. Security researchers at Citizen Lab said in early September that they had discovered evidence that NSO Group customers, using the company's Pegasus spyware, had exploited a vulnerability found in the software of an up-to-date and fully patched iPhone.

Bill Borg

[RitchCraft]

I want the Bill Gates Borg graphic back when Windows articles appear.

Re:

[RitchCraft]

And Microsoft articles.

Re:

[ozzymodus12]

Yes, this is a must. We have a culture to uphold.

Re:

[Ferocitus]

That's why it needs a serious-sounding Latin motto underneath the Windows logo. Something like:
Quis paget entrat.

Re:

[elcor]

i know something felt off

Obviously national security

[myowntrueself]

By which we mean the national security of just one country; the USA.
And its offensive cyber programme being used to attack other countries and their infra and corps

Don't pretend that you're morally better than Russia, China, Iran, North Korea etc and don't operate an offensive cyber capability...

Re:

[myowntrueself]

you lose in a cyber war without offensive capabilities

you cant have it both ways

Everyone loses thanks to anyones offensive capabilities.

Default Position

[Jonathan C. Patschke]

Microsoft won't say if those zero-days were exploited to target its products, or if the company knows either way.

So that's a yes, then--probably to both?

Re:

[AvitarX]

It seems to me it'd be impossible for them to know it hasn't been.

But the fact that they didn't say "not that we know of" leads me to agree with you.

Microsoft refusing to comment on zero-days

[madscience]

Zero-days are a Windows feature. Of course there's an exploit, because any white hat would have notified Microsoft, notified the dev community, then the public. In that order. Since Microsoft is announcing it, there's already been an exploit that was used in the wild, and one of their customers complained to them. They did the forensic exploit analysis, and now PR is covering for them. It's not rocket surgery. These headlines are garbage.

So, "we do not admit anything" now? Pretty bad.

[gweihir]

I had not expected that the joke that MS "security" always was has already gotten this extremely bad. On the other hand, they had just recently stolen what was essentially a cloud master key for all of Azure and did not notice. So maybe they are really entering the final, fast phase of "going down the drains" now. I did notice that they seem to essentially have lost control of most of their products a few years back. They seem to be unable to do any major changes and seem to struggle (and fail) far too ofte