This month of February has been rife with security vulnerabilities to be concerned about, particularly for Windows and Windows Server users, as well as iOS users. Even more concerning is that many of these threats, termed zero-day vulnerabilities, have already been exploiting users before security updates could be released. This has spurred the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to take action by adding three Microsoft and one Apple zero-day security issues to their Known Exploited Vulnerabilities Catalog (KEVC). This calls for an immediate response from users, as the CISA has issued an order under the U.S. Government Binding Operational Directive 22-01 that requires certain government agency users to update to iOS 16.3.1 and apply the Windows patches within three weeks.
It goes without saying that all users should, first and foremost, always update their security measures with care. The prompt, comprehensive installation of security updates will help keep their computers safe and secure, as unchanging systems and infrastructure can be a target for new threats. Leaving systems unpatched can lead to exploits and malware, thus further compromising user safety. The more time it takes to update, the more infectious a system can become. This presents an even more compelling need to update one’s system immediately upon any new updates being made available.
To have a better understanding of this issue, let us first investigate the zero-day vulnerability of the iOS system. An currently known to be active zero-day vulnerability isCVE-2023-23529, and as Forbes author Kate O’Flaherty writes, “it is already being used in real-life attacks.” This ‘type confusion’ vulnerability enables threat actors to exploit malicious web content and execute arbitrary code on impacted devices. The devices that are vulnerable to this zero-day are iPhones from the iPhone 8 and later, all iPad Pro models, third-generation iPad Air and on, fifth-generation iPads, as well as fifth-generation iPad Mini devices. Thankfully, the zero-day can be fixed by applying the iOS 16.3.1 update.
In addition, three zero-days from Microsoft have been added to CISA’s KEVC, two of which require the attention of most Windows and Windows Server users, while the third issue is specifically of concern to Microsoft Office users. These have been explained by the February Patch Tuesday announcement that included details on 76 security vulnerabilities.
The first Microsoft vulnerability, CVE-2023-21823, is a remote code execution (RCE) and escalation of Privilege (EOP) vulnerability, which experts believe to be relatively simple to exploit. Under such a circumstance, an attacker could gain SYSTEM privileges. It is written in the announcement that this patch must be installed manually, as it is to be distributed through the Microsoft Store rather than Windows Update.
A second Microsoft vulnerability of worry is CVE-2023-23376, which is an elevation of privilege (EOP) vulnerability and affects Windows 10 and 11, Windows Server 2008 and newer, and devices.
The third Microsoft vulnerability is CVE-2023-21715, and it specifically impacts Microsoft Office users as a bypass of malicious macro blocking in Microsoft Publisher.
The implications of these zero-day security vulnerabilities are serious and cannot be overstated. As Tim Mackey, head of software supply chain risk strategy at Synopsys Software Integrity Group, told Forbes auther Davey Winder, “when CISA adds a vulnerability to the Known Exploited Vulnerabilities list, this is an important signal that patching those specific CVEs should be a top priority.” This call for action must be taken by all IT teams, so as to not compromise sensitive information or leave a system open for exploitation through malware or other threats.
Ian Thornton-Trump, the chief information security officer (CISO) for threat intelligence provider Cyjax, said in an interview with Winder that “when CISA makes an update to the KEVC, everyone needs to pay attention. It means that threat actors are using this vulnerability to get inside targeted organizations.” He adds to this by stressing that “anything CISA throws on ‘The Kev’ needs to be patched ASAP,” as there is a noticeable lag time between discovery, vetting/reverse engineering, notification, and approval.
To conclude, these Windows and iOS zero-day vulnerabilities must be taken seriously and patched as soon as possible. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has responded decisively by adding them to the Known Exploited Vulnerabilities Catalog (KEVC), and users must take note in order to remain safe. Not doing so may potentially render a user’s system open for exploitation. And as such, a one-size-fits-all solution must be employed and acted on: update your systems now.
We encourage everyone to share their opinion in the comment section below, and can everyone help spread awareness about this issue. Which steps have you taken to ensure the security of your system? Let us all know!
