Windows And iOS Security Updates Get Serious—You Have 3 Weeks To Comply, CISA Warns
February has been a bad month regarding security vulnerabilities for Windows and Windows Server users, as well as iOS ones. Specifically, zero-day vulnerabilities that were already being exploited before the security updates to fix them were made available. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has now stepped in by adding the three Microsoft and one Apple zero day security issues to the Known Exploited Vulnerabilities Catalog (KEVC).
Why is the CISA announcement important?
This is important as, under U.S. Government Binding Operational Directive 22-01, federal civilian executive branch agencies have just three weeks from adding a vulnerability to ensuring their systems are patched. This doesn’t let everyone else off the hook, as CISA warns users that it strongly urges “all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice.” You should already know what the Straight Talking Cyber team at Forbes advises about applying security updates, but if you don’t: update now.
The February 2023 Microsoft zero-days
In all, three zero-day vulnerabilities have been added to CISA’s KEVC, two directly impacting most Windows and Windows Server users and the third of concern to Microsoft Office users. These were detailed, albeit very scantily in terms of the technicalities, as part of the February Patch Tuesday announcement that covered 76 security vulnerabilities in all.
CVE-2023-21823 is a remote code execution (RCE) and Escalation of Privilege (EOP) vulnerability; one security expert describes that as being relatively simple to exploit. Yet Microsoft confirmed that, if successful, it could lead to an attacker gaining SYSTEM privileges. Furthermore, to add more confusion to the issue, Microsoft says that the update is being distributed through the Microsoft Store rather than Windows Update. Which could mean users who have such updates disabled will need to install it manually, as it were.
CVE-2023-23376 also impacts users of Windows 10 and 11, as well as most versions of Windows Server from 2008 up, but it is an EOP vulnerability. The third Microsoft zero-day added to the CISA catalog is CVE-2023-21715. This impacts Microsoft Office users, a vulnerability within Microsoft Publisher that could bypass blocking malicious macros.
The February iOS zero-day
As for the iOS zero-day vulnerability, as my Forbes Straight Talking Cyber colleague, Kate O’Flaherty, writes, CVE-2023-23529 is “already being used in real-life attacks.” This WebKit ‘type confusion’ vulnerability enables a potential threat actor to use malicious web content that can lead to arbitrary code execution on impacted devices. Those devices are iPhones from the iPhone 8 and later, all iPad Pro models, third-generation iPad Air and on, fifth-generation iPads, and later as well as fifth-generation iPad Mini devices.
Patching these zero days must be a top priority
“When CISA adds a vulnerability to the Known Exploited Vulnerabilities list, this is an important signal that patching those specific CVEs should be a top priority,” Tim Mackey, head of software supply chain risk strategy at Synopsys Software Integrity Group, said. Mackey added that it “should be considered a call to action for all IT teams to ensure that no system is allowed onto a network that processes sensitive information without validation that vulnerabilities on the KEVC remain unpatched.”
Ian Thornton-Trump, the chief information security officer (CISO) at threat intelligence provider Cyjax, agreed when I spoke with him this morning. “When CISA makes an update to the KEVC, or as I like to call it “The Kev,” everyone needs to pay attention,” Thornton-Trumps says, “it means that threat actors are using this vulnerability to get inside targeted organizations. “The Kev” is the greatest tool bequeathed to the defending security community and should be followed and actioned immediately – it’s the best real world, heavily vetted cyber threat intelligence resource there is.” However, Thornton-Trump adds that “anything CISA throws on “The Kev” needs to be patched ASAP,” because “before it gets published, there are probably more than a few days of lag time between discovery, vetting/reverse engineering and notification. Not to mention a whole bunch of approvals.”