Executive Summary

Apple have released emergency updates to fix two actively exploited new zero-day vulnerabilities which target iPhone and Mac users. The vulnerabilities, if exploited on an unpatched Apple device, allow attacks to execute arbitrary code through the use of maliciously crafted images and attachments.

What’s the risk to me or my business?

Exploitation of the vulnerabilities has already been used as part of zero-click iMessage exploits to deploy Pegasus mercenary software. This allows attackers execute code to perform actions such as extracting messages, photos, emails, and recording calls, impacting the confidentiality, integrity and availability of data.

Patches are available in:

macOS Ventura 13.5.2: Available for devices running macOS Ventura.

iOS 16.6.1 and iPadOS 16.6.1: Available for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.

Technical Summary:

CVE-2023-41064 – A buffer overflow weakness that when processing maliciously crafted images, can lead to arbitrary code execution

CVE-2023-41061 – a validation issue which can be exploited through a malicious attachment to also gain arbitrary code execution

What can I do?

Users are recommended the apply the patches as soon as possible due to their active exploitation in the wild. Organisations should also be aware that the patches mean employees using Apple BYOD devices will need to apply the relevant patches, as this impacts corporate information which the devices have access to.

Further information can be found below:

https://www.bleepingcomputer.com/news/apple/apple-discloses-2-new-zero-days-exploited-to-attack-iphones-macs/

https://support.apple.com/en-gb/HT213905

https://support.apple.com/en-gb/HT213906 

Executive summary

Microsoft’s February Patch Tuesday provides updates to address 75 security issues across its product range, including three actively exploited zero-days.

Of the 75 vulnerabilities, nine are rated Critical and 66 are rated Important in severity. 37 out of 75 bugs are classified as remote code execution (RCE) flaws.

The three exploited zero-day vulnerabilities include a security bypass vulnerability, remote execution vulnerability and an elevation of privileges vulnerability. Also among the updates provided by Microsoft were 9 critical vulnerabilities.

What’s the risk to me or my business?

The actively exploited vulnerabilities could allow an attacker to bypass security features to upload malicious files, remotely execute code and gain SYSTEM privileges; all of which could compromise the confidentiality, integrity and availability of data stored by an organisation.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the actively exploited vulnerabilities and all other vulnerabilities that have a critical severity rating.

Technical Summary

The following is a breakdown of the actively exploited vulnerabilities which affected Microsoft Operating Systems:

CVE-2023-21715: A vulnerability which allows a local user with authentication to bypass Microsoft Office macro policies used to block untrusted or malicious files.

CVE-2023-21823: A remote code execution vulnerability which allows an attacker to execute code with system privileges, effectively providing them with unlimited permission. Microsoft Store will automatically update affected customers, providing automatic updates are enabled in the Store.

CVE-2023-23376: A vulnerability which allows a successful attacker to gain SYSTEM privileges, effectively providing them with unlimited permission.

Further details on other specific updates within this patch Tuesday can be found here: https://www.ghacks.net/2023/02/14/microsoft-windows-security-updates-february-2023-overview/ 

Further details about CVE-2023-21715 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21715

Further details about CVE-2023-21823 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21823

Further details about CVE-2023-23376 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-23376

Executive Summary

Microsoft’s December Patch Tuesday provides 48 patches to address security issues across its product range. Also included are a critical patch to address an actively exploited Zero-Day vulnerability that allowed bypass of Mark Of The Web (MOTW) defences, as well as another publicly disclosed Zero-Day vulnerability which identified privilege escalation vulnerabilities with DirectX.

What’s the risk to me or my business?

Security updates are available for all supported versions of Windows. As some of these updates address vulnerabilities that are known to be actively exploited, the updates should be applied as soon as possible.

What can I do?

Apply the available updates from Microsoft as soon as possible, while taking into consideration any potential downtime that these updates may cause.

Technical Summary

The following is a breakdown of the two Zero-Day vulnerabilities which affected Microsoft products:

CVE-2022-44710: An elevation of privilege vulnerability with a CVSS rating of 7.8, which allows the user to gain System privileges.

CVE-2022-44698: A bypass vulnerability with a CVSS 3.1 rating of 5.4, which allowed an attacker to create a malicious file that would evade MOTW defences.

Further details on other specific updates within this Patch Tuesday can be found here: https://www.ghacks.net/2022/12/13/microsoft-windows-security-updates-december-2022-overview/

Need help understanding your gaps, or just want some advice? Get in touch with us.