The US Cybersecurity and Infrastructure Security Agency (CISA) has added four vulnerabilities exploited in zero-day attacks to its list of flaws known to be exploited in the wild.
Two of these impact Microsoft products, allowing attackers remote execution (CVE-2023-21823) and privilege escalation (CVE-2023-23376) on unpatched Windows systems by exploiting vulnerabilities in the Common Log File System Driver and misuse in graphics components.
A third (CVE-2023-21715) can be exploited to bypass Microsoft Office macro policies and deliver malicious payloads via untrusted files.
Microsoft patched all three earlier this week as part of Patch Tuesday in February 2022, designating them as zero-days that were exploited for attacks before a fix was available.
The fourth, a WebKit-type confusion issue (CVE-2023-23529) that could lead to arbitrary code execution, was addressed by Apple on Monday and flagged as being actively exploited in the wild.
The list of devices affected by this WebKit zero-day is quite extensive, affecting both older and newer models, including iPhone 8 and later, Macs running macOS Ventura, all iPad Pro models, and more.
Federal agencies have three weeks to patch
Under a November 2021 Mandatory Operational Policy (BOD 22-01), all Federal Civilian Executive Branch Agency (FCEB) agencies are required to protect their systems from security flaws that have been added to CISA’s catalog of known exploited vulnerabilities.
CISA has now given US federal agencies three weeks until March 7 to patch Apple and Microsoft’s four vulnerabilities and thwart attacks that could target their networks.
Although the policy only applies to US federal agencies, the cybersecurity agency urges all organizations to address the vulnerabilities to block any attempted attack to compromise their Windows or iOS devices.
“These types of vulnerabilities are common attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said.
Since the release of the BOD 22-01 policy, CISA has added hundreds of new vulnerabilities known to be exploited in the wild to its bug list and has directed federal agencies to patch their systems to prevent security breaches.
Today, CISA added another bug, a Cacti Network Operations Framework Pre-Auth Command Injection Critical Bug (CVE-2022-46169) that threat actors have exploited to proliferate malware.