Threat Intel Flash: Sisense Data Compromise: ARC Labs Intelligence Flash

Get the Latest


CISA Warns of Windows and iOS Bugs Exploited as Zero-days

The United States Cybersecurity and Infrastructure Agency (CISA) has added four security vulnerabilities to their list of bugs that have been abused in the wild. Out of the four vulnerabilities, three of them impact Microsoft products. Two of the vulnerabilities, CVE-2023-21823 and CVE-2023-23376, abuse flaws in the Common Log File System Driver and graphics components. In addition, CVE-2023-21715 allows for Microsoft Office macro policies to be bypassed in order to deliver malicious payloads via untrusted files. These three vulnerabilities were classified as 0-days but have since been patched in the latest Patch Tuesday from Microsoft.

The fourth vulnerability, CVE-2023-23529, is a WebKit type confusion issue that could lead to arbitrary code execution. This vulnerability was also classified as a 0-day. It impacts a large range of devices such as the iPhone 8 and later, Macs running macOS Venture, and all iPad Pro models, among others. This vulnerability was also patched this past week.

According to a Binding Operational Directive (BOD 22-01) issued by CISA in November 2021, all Federal Civilian Executive Branch Agencies (FCEB) are required to patch any vulnerabilities that CISA catalogs in their “Known Exploited Vulnerabilities”. CISA has given US Federal agencies 3 weeks to patch these vulnerabilities.

Analyst Notes

While CISA’s directive only applies to United States federal agencies, it is encouraged and best practice that organizations also follow this timeline to patch their vulnerabilities. In cybersecurity, a timely patching schedule is an important factor of securing an environment, as many threat actors will attempt to exploit recently released 0-days before organizations have a chance to patch them. On top of a timely patching schedule, it is also important to employ a defense-in-depth strategy. As 0-days are unknown, detections that a company has will often not detect the 0-day itself. However, with a defense-in-depth strategy, they will detect a threat actor at a different portion of the attack chain.