FCEB networks

Microsoft, Apple Product Flaws Added to CISA Vulnerability Catalog

Four new vulnerabilities found in Microsoft and Apple products were added on Tuesday to the Cybersecurity and Infrastructure Security Agency’s catalog of system flaws that malicious threat actors frequently exploit to gain access to federal civilian executive branch networks.

The Known Exploited Vulnerabilities Catalog contains recommended actions to protect the federal enterprise. FCEB agencies are required to remediate the vulnerabilities identified in the list by a given deadline to reduce exposure to cyberattacks, CISA said.

According to the catalog, Microsoft Office has a security feature bypass vulnerability that allows for a local, authenticated attack on a targeted system. Two more Microsoft products, namely Windows Graphic Component and Windows Common Log File System, were added to the list because of an unspecified vulnerability that could provide attackers with system privileges.

A type confusion vulnerability, meanwhile, was found in Apple iOS, MacOS, Safari and iPadOS, which have been using WebKit as a web browser engine. The catalog warned that the WebKit vulnerability may lead to code execution.

CISA advised agencies to apply product updates per vendor instructions on or before March 7 to mitigate cyber risks.

More vulnerabilities were added to the catalog last week, including the Fortra GoAnywhere MFT remote code execution vulnerability. The Clop ransomware gang said it exploited the flaw in the secure file transfer tool to steal data from over 130 organizations. According to the group, it deployed ransomware payloads to encrypt the systems of its victims and steal documents from compromised GoAnywhere MFT servers.