CISA wants you to patch these actively exploited vulnerabilities before September 8
On Thursday, CISA (the US Cybersecurity and Infrastructure Security Agency) updated its catalog of actively exploited vulnerabilities by adding seven new entries. These flaws were found in Apple, Google, Microsoft, Palo Alto Networks, and SAP products. CISA set the due date for everyone to patch the weaknesses by September 8, 2022.
CVE-2022-22536, an SAP flaw with the highest risk score of 10, is one of the seven. We wrote about it in February, and thankfully, SAP addressed the issue fairly quickly, too, by issuing a patch. CISA even mentioned that if customers fail to patch CVE-2022-22536, they could be exposed to ransomware attacks, data theft, financial fraud, and other business disruptions that’d cost them millions.
CVE-2022-32893 and CVE-2022-32894, the two zero-day, out-of-bounds write vulnerabilities affecting iOS, iPadOS, and macOS, continue to headline as of this writing. These are serious flaws that, if left unpatched, could allow anyone to take control of vulnerable Apple systems. Apple already released fixes for these from the following support pages:
- About the security content of iOS 15.6.1 and iPadOS 15.6.1
- About the security content of macOS Monterey 12.5.1
- About the security content of Safari 15.6.1
The Google Chrome flaw with high severity, CVE-2022-2856, is also confirmed to be targeted by hackers. As with other zero-days, technical details about it are light, but the advisory states that the flaw is an “insufficient validation of untrusted input in Intents.” The Intents technology works in the background and is involved in processing user input or handling a system event. If this flaw is exploited, anyone could create a malicious input that Chrome may validate incorrectly, leading to arbitrary code execution or system takeover.
Google already patched this. While Chrome should’ve updated automatically, it is recommended to force an update check to ensure the patch is applied.
Microsoft also has patches available for CVE-2022-21971 and CVE-2022-26923 in February and May, respectively. The former was given an “exploitation less likely” probability, but that has already changed—a proof-of-concept (PoC) has been available since March. PoC exploits were also made public for the latter Microsoft flaw. However, these were released after Microsoft had already pushed out a patch.
Palo Alto Networks’s is the oldest among the new vulnerabilities added to the catalog. Discovered in 2017, CVE-2017-15944 has a severity rating of 9.8 (Critical). Once exploited, attackers could perform remote code execution on affected systems. You can read more about this flaw on Palo Alto’s advisory page.
Malwarebytes advises readers to apply patches to these flaws if they use products of the companies we mentioned. You don’t have to wait for the due date before you act.