CISA warns of Windows and iOS bugs exploited as zero-days
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four security vulnerabilities exploited in attacks as zero-day to its list of bugs known to be abused in the wild.
Two of them impact Microsoft products and allows attackers to gain remote execution (CVE-2023-21823) and escalate privileges (CVE-2023-23376) on unpatched Windows systems by abusing flaws in the Common Log File System Driver and graphics components.
A third one (CVE-2023-21715) can be exploited to bypass Microsoft Office macro policies to deliver malicious payloads via untrusted files.
Microsoft patched all three earlier this week as part of the February 2022 Patch Tuesday and classified them as zero-days that were abused in attacks before a fix was available.
The fourth, a WebKit type confusion issue (CVE-2023-23529) that could lead to arbitrary code execution, was addressed by Apple on Monday and was tagged as actively exploited in the wild.
The list of devices impacted by this WebKit zero-day is quite extensive, affecting older and newer models, including iPhone 8 and later, Macs running macOS Ventura, all iPad Pro models, and more.
Federal agencies have three weeks to patch
According to a November 2021 binding operational directive (BOD 22-01), all Federal Civilian Executive Branch Agencies (FCEB) agencies are required to secure their systems against security bugs added to CISA's catalog of Known Exploited Vulnerabilities.
CISA has now given U.S. federal agencies three weeks, until March 7th, to patch the four Apple and Microsoft security vulnerabilities and thwart attacks that could target their networks.
Even though the directive only applies to U.S. federal agencies, the cybersecurity agency strongly urges all organizations to fix the security bugs to block any attack attempts to compromise their Windows or iOS devices.
"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA said.
Since the BOD 22-01 directive was issued, CISA has included hundreds of new security vulnerabilities known to be exploited in the wild to its list of bugs, ordering federal agencies to patch their systems to prevent breaches.
Today, CISA added another flaw, a critical pre-auth command injection bug (CVE-2022-46169) in the Cacti network operations framework that threat actors abused to deliver malware.
A review of zero-day in-the-wild exploits in 2023
28 Mar 2024In 2023, Google observed 97 zero-day vulnerabilities exploited in-the-wild. That’s over 50 percent more than in 2022, but still shy of 2021’s record of 106. Today, Google published its fifth annual review of zero-days exploited in-the-wild.
Read More
Vulnerability In 16.5K+ VMware ESXi Instances Let Attackers Execute Code
25 Mar 2024VMware has acknowledged the presence of several vulnerabilities in its products after they were privately reported.The company has released updates to address these issues in the affected software. While each vulnerability is rated as ‘Important,’ their combined potential impact escalates to ‘Critical’ severity. Shadowserver has tweeted a warning about vulnerabilities in VMware ESXi instances. These vulnerabilities can enable a malicious actor with local admin privileges to bypass sandbox protections. Shadowserver is conducting scans and sharing its findings to help mitigate the risks associated with these vulnerabilities.
Read More
NIST Cybersecurity Framework 2.0: 4 Steps to Get Started
20 Mar 2024The National Institute of Standards and Technology has revised the book on creating a comprehensive cybersecurity program that aims to help organizations of every size be more secure. Here's where to start putting the changes into action.
Read More