CISA orders agencies to patch Windows, iOS bugs used in attacks

CISA added two new vulnerabilities to its list of security bugs exploited in the wild today, including a Windows privilege escalation vulnerability and an arbitrary code execution flaw affecting iPhones and Macs.

The elevation of privileges bug in the Windows Common Log File System Driver is tracked as CVE-2022-37969, enabling local attackers to gain SYSTEM privileges following successful exploitation.

Microsoft patched the vulnerability discovered and reported by researchers at DBAPPSecurity, Mandiant, CrowdStrike, and Zscaler during the September 2022 Patch Tuesday.

"We found this 0Day bug during a proactive Offensive Task Force exploit hunting mission. An escalation of privilege (EOP) exploit was found in the wild, exploiting this Common Log File System (CLFS) vulnerability," Dhanesh Kizhakkinan, Senior Principal Vulnerability Engineer at Mandiant, told BleepingComputer.

"The exploit seems to stand-alone and not part of a chain (like browser + EOP)."

Apple also patched the arbitrary code execution vulnerability (CVE-2022-32917) on Monday and confirmed that it was exploited in attacks as a zero-day bug in the iOS and macOS kernel.

This was the eighth zero-day used in the wild that Apple addressed since the start of the year, all of them most likely used only in highly-targeted attacks.

Federal agencies ordered to patch within three weeks

A binding operational directive (BOD 22-01) issued in November 2021 says that all Federal Civilian Executive Branch Agencies (FCEB) agencies have to secure their networks against bugs added to CISA's catalog of Known Exploited Vulnerabilities (KEV).

CISA has given Federal Civilian Executive Branch Agencies (FCEB) agencies three weeks, until October 10th, to address these two security flaws and block attacks that could target their systems.

Even though the directive only applies to U.S. federal agencies, the cybersecurity agency strongly urged all orgs to fix the Windows privilege escalation and the Apple Kernel code execution flaws to thwart exploitation attempts.

"These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise," CISA warned today.

Since BOD 22-01 was issued, CISA has added over 800 security flaws to the catalog of bugs exploited in the wild, requiring federal agencies to address them on a tighter schedule to block attacks and potential security breaches.