The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four security vulnerabilities exploited in attacks as zero-day to its list of bugs known to be abused in the wild.
Two of them impact Microsoft products and allows attackers to gain remote execution (CVE-2023-21823) and escalate privileges (CVE-2023-23376) on unpatched Windows systems by abusing flaws in the Common Log File System Driver and graphics components.
A third one (CVE-2023-21715) can be exploited to bypass Microsoft Office macro policies to deliver malicious payloads via untrusted files.
Microsoft patched all three earlier this week as part of the February 2022 Patch Tuesday and classified them as zero-days that were abused in attacks before a fix was available.
The fourth, a WebKit type confusion issue (CVE-2023-23529) that could lead to arbitrary code execution, was addressed by Apple on Monday and was tagged as actively exploited in the wild.
The list of devices impacted by this WebKit zero-day is quite extensive, affecting older and newer models, including iPhone 8 and later, Macs running macOS Ventura, all iPad Pro models, and more.
Federal agencies have three weeks to patch
According to a November 2021 binding operational directive (BOD 22-01), all Federal Civilian Executive Branch Agencies (FCEB) agencies are required to secure their systems against security bugs added to CISA’s catalog of Known Exploited Vulnerabilities.
CISA has now given U.S. federal agencies three weeks, until March 7th, to patch the four Apple and Microsoft security vulnerabilities and thwart attacks that could target their networks.
Even though the directive only applies to U.S. federal agencies, the cybersecurity agency strongly urges all organizations to fix the security bugs to block any attack attempts to compromise their Windows or iOS devices.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said.
Since the BOD 22-01 directive was issued, CISA has included hundreds of new security vulnerabilities known to be exploited in the wild to its list of bugs, ordering federal agencies to patch their systems to prevent breaches.
Today, CISA added another flaw, a critical pre-auth command injection bug (CVE-2022-46169) in the Cacti network operations framework that threat actors abused to deliver malware.