CISA warns of Windows and iOS bugs exploited as zero-days

20 February 2023

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four security vulnerabilities exploited in attacks as zero-day to its list of bugs known to be abused in the wild.

Two of them impact Microsoft products and allows attackers to gain remote execution (CVE-2023-21823) and escalate privileges (CVE-2023-23376) on unpatched Windows systems by abusing flaws in the Common Log File System Driver and graphics components.

A third one (CVE-2023-21715) can be exploited to bypass Microsoft Office macro policies to deliver malicious payloads via untrusted files.

Microsoft patched all three earlier this week as part of the February 2022 Patch Tuesday and classified them as zero-days that were abused in attacks before a fix was available.

The fourth, a WebKit type confusion issue (CVE-2023-23529) that could lead to arbitrary code execution, was addressed by Apple on Monday and was tagged as actively exploited in the wild.

The list of devices impacted by this WebKit zero-day is quite extensive, affecting older and newer models, including iPhone 8 and later, Macs running macOS Ventura, all iPad Pro models, and more.

Federal agencies have three weeks to patch

According to a November 2021 binding operational directive (BOD 22-01), all Federal Civilian Executive Branch Agencies (FCEB) agencies are required to secure their systems against security bugs added to CISA's catalog of Known Exploited Vulnerabilities.

CISA has now given U.S. federal agencies three weeks, until March 7th, to patch the four Apple and Microsoft security vulnerabilities and thwart attacks that could target their networks.

Even though the directive only applies to U.S. federal agencies, the cybersecurity agency strongly urges all organizations to fix the security bugs to block any attack attempts to compromise their Windows or iOS devices.

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA said.

Since the BOD 22-01 directive was issued, CISA has included hundreds of new security vulnerabilities known to be exploited in the wild to its list of bugs, ordering federal agencies to patch their systems to prevent breaches.

Today, CISA added another flaw, a critical pre-auth command injection bug (CVE-2022-46169) in the Cacti network operations framework that threat actors abused to deliver malware.

 

Related News

Microsoft Outlook flaw opens door to 1-click remote code execution attacks

23 Feb 2024

Microsoft released its batch of monthly security updates this month covering 73 vulnerabilities, including two zero-day flaws exploited in the wild. While organizations should prioritize all critical and high-risk issues, there is one critical vulnerability in Outlook that researchers claim could open the door to trivial attacks that result in remote code execution.

Read More

Microsoft Confirms Windows Exploits Bypassing Security Features

19 Feb 2024

Microsoft on Tuesday rolled out a massive batch of security-themed software updates and called urgent attention to at least three vulnerabilities being exploited in live malware attacks. The world’s largest software maker documented 72 security vulnerabilities in the Windows ecosystem and warned users of the risk of remote code execution, security feature bypass, information disclosure and privilege escalation attacks.

Read More

FBI and CISA publish guide to Living off the Land techniques

13 Feb 2024

The Cybersecurity and Infrastructure Security Agency , National Security Agency , Federal Bureau of Investigation , and other authoring agencies have released a joint guidance about common living off the land techniques and common gaps in cyber defence capabilities.

Read More