The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added 4 safety vulnerabilities exploited in assaults as zero-day to its checklist of bugs identified to be abused within the wild.
Two of them impression Microsoft merchandise and permits attackers to achieve distant execution (CVE-2023-21823) and escalate privileges (CVE-2023-23376) on unpatched Windows programs by abusing flaws within the Common Log File System Driver and graphics elements.
A 3rd one (CVE-2023-21715) could be exploited to bypass Microsoft Office macro insurance policies to ship malicious payloads by way of untrusted information.
Microsoft patched all three earlier this week as a part of the February 2022 Patch Tuesday and categorized them as zero-days that have been abused in assaults earlier than a repair was out there.
The fourth, a WebKit sort confusion difficulty (CVE-2023-23529) that would result in arbitrary code execution, was addressed by Apple on Monday and was tagged as actively exploited within the wild.
The checklist of units impacted by this WebKit zero-day is kind of in depth, affecting older and newer fashions, together with iPhone 8 and later, Macs working macOS Ventura, all iPad Pro fashions, and extra.
Federal companies have three weeks to patch
According to a November 2021 binding operational directive (BOD 22-01), all Federal Civilian Executive Branch Agencies (FCEB) companies are required to safe their programs in opposition to safety bugs added to CISA’s catalog of Known Exploited Vulnerabilities.
CISA has now given U.S. federal companies three weeks, till March seventh, to patch the 4 Apple and Microsoft safety vulnerabilities and thwart assaults that would goal their networks.
Even although the directive solely applies to U.S. federal companies, the cybersecurity company strongly urges all organizations to repair the safety bugs to dam any assault makes an attempt to compromise their Windows or iOS units.
“These forms of vulnerabilities are frequent assault vectors for malicious cyber actors and pose important dangers to the federal enterprise,” CISA stated.
Since the BOD 22-01 directive was issued, CISA has included lots of of recent safety vulnerabilities identified to be exploited within the wild to its checklist of bugs, ordering federal companies to patch their programs to stop breaches.
Today, CISA added one other flaw, a vital pre-auth command injection bug (CVE-2022-46169) within the Cacti community operations framework that menace actors abused to ship malware.