Mozilla Releases Security Updates for Multiple Products

Mozilla has released security updates to address a vulnerability affecting Firefox, Firefox ESR, and Thunderbird. A cyber threat actor can exploit this vulnerability to take control of an affected system.

CISA encourages users and administrators to review Mozilla’s advisory (MFSA 2023-40) and apply the necessary updates.

CISA Adds Three Known Vulnerabilities to Catalog

CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

  • CVE-2023-35674 Android Framework Privilege Escalation Vulnerability
  • CVE-2023-20269 Cisco Adaptive Security Appliance and Firepower Threat Defense Unauthorized Access Vulnerability
  • CVE-2023-4863 Google Chrome Heap-Based Buffer Overflow Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column—which will sort by descending dates.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Microsoft Releases September 2023 Updates

Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A cyber threat actor can exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review Microsoft’s September 2023 Security Update Guide and apply the necessary updates.
 

Apple Releases Security Updates for iOS and macOS

Apple has released security updates to address a vulnerability in multiple products. A cyber threat actor could exploit this vulnerability to take control of an affected device.
CISA encourages users and administrators to review the following advisories and apply the necessary updates.

CISA Adds Two Known Vulnerabilities to Catalog

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

  • CVE-2023-36761 Microsoft Word Information Disclosure Vulnerability
  • CVE-2023-36802 Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column—which will sort by descending dates.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

NSA, FBI, and CISA Release Cybersecurity Information Sheet on Deepfake Threats

Today, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Information Sheet (CSI), Contextualizing Deepfake Threats to Organizations, which provides an overview of synthetic media threats, techniques, and trends. Threats from synthetic media, such as deepfakes, have exponentially increased—presenting a growing challenge for users of modern technology and communications, including the National Security Systems (NSS), the Department of Defense (DoD), the Defense Industrial Base (DIB), and national critical infrastructure owners and operators. Between 2021 and 2022, U.S. Government agencies collaborated to establish a set of employable best practices to take in preparation and response to the growing threat. Public concern around synthetic media includes disinformation operations, designed to influence the public and spread false information about political, social, military, or economic issues to cause confusion, unrest, and uncertainty.

The authoring agencies urge organizations review the CSI for recommended steps and best practices to prepare, identify, defend against, and respond to deepfake threats.

To report suspicious activity or possible incidents involving deepfakes, contact one of the following agencies:

Adobe Releases Security Updates for Multiple Products

Adobe has released security updates to address vulnerabilities affecting Adobe software. A cyber threat actor can exploit one of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates.

CISA Releases its Open Source Software Security Roadmap

Today, CISA released an Open Source Software Security Roadmap to lay out—in alignment with the National Cybersecurity Strategy and the CISA Cybersecurity Strategic Plan—how we will partner with federal agencies, open source software (OSS) consumers, and the OSS community, to secure OSS infrastructure. To that end, the roadmap details four key goals:

  1. Establish CISA’s role in supporting the security of OSS,
  2. Understand the prevalence of key open source dependencies,
  3. Reduce risks to the federal government, and
  4. Harden the broader OSS ecosystem.

See CISA’s Open Source Software Security Roadmap to learn more.

 

CISA Releases Three Industrial Control Systems Advisories

CISA released three Industrial Control Systems (ICS) advisories on September 12, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

CISA Adds Two Known Vulnerabilities to Catalog

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

  • CVE-2023-41064 Apple iOS, iPadOS, and macOS ImageIO Buffer Overflow
  • CVE-2023-41061 Apple iOS, iPadOS, and watchOS Wallet Code Execution Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column—which will sort by descending dates.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.