The United States Cybersecurity and Infrastructure Agency (CISA) has added four security vulnerabilities to their list of bugs that have been abused in the wild. Out of the four vulnerabilities, three of them impact Microsoft products. Two of the vulnerabilities, CVE-2023-21823 and CVE-2023-23376, abuse flaws in the Common Log File System Driver and graphics components. In addition, CVE-2023-21715 allows for Microsoft Office macro policies to be bypassed in order to deliver malicious payloads via untrusted files. These three vulnerabilities were classified as 0-days but have since been patched in the latest Patch Tuesday from Microsoft.
The fourth vulnerability, CVE-2023-23529, is a WebKit type confusion issue that could lead to arbitrary code execution. This vulnerability was also classified as a 0-day. It impacts a large range of devices such as the iPhone 8 and later, Macs running macOS Venture, and all iPad Pro models, among others. This vulnerability was also patched this past week.
According to a Binding Operational Directive (BOD 22-01) issued by CISA in November 2021, all Federal Civilian Executive Branch Agencies (FCEB) are required to patch any vulnerabilities that CISA catalogs in their “Known Exploited Vulnerabilities”. CISA has given US Federal agencies 3 weeks to patch these vulnerabilities.