End users, administrators, and researchers should be on guard. The number of apps being patched for zero-day vulnerabilities has skyrocketed this month, and it’s likely to get even worse in the coming weeks.
People have been working overtime in recent weeks to patch a number of vulnerabilities that are being exploited in the wild, with products from Apple, Microsoft, Google, Mozilla, Adobe, and Cisco all affected since the beginning of this month. Masu. The number of zero-days tracked this month is significantly higher than this year’s monthly average. There have been 10 incidents so far in September, compared to a total of 60 incidents from January to August, according to security firm Mandiant. The company tracked 55 zero-days in 2022 and 81 zero-days in 2021.
Examples of affected companies and products include iOS and macOS, Windows, Chrome, Firefox, Acrobat and Reader, Atlas VPN, and Cisco’s adaptive security appliance software and its Firepower Threat Defense. One vulnerability exists in probably hundreds of apps that would allow hackers to execute malicious code when a user opens a message or a booby-trapped image contained in a web page. Therefore, the number of apps may increase further.
The vulnerability, tracked as CVE-2023-4863, is due to a widely used code library known as libwebp. This code library was created by Google over a decade ago to render the then new WebP graphics format. Libwebp is integrated into approximately 70 downstream libraries that are included in other libraries and popular apps. For example, the single affected intermediate library known as Electron runs in Microsoft Teams, Slack, Skype, Discord, the desktop version of Signal messenger, and more. Electron developers fixed the bug on Tuesday.
Meanwhile, two different zero-days that have been keeping iOS and macOS users busy were recently used in the wild to infect targets with advanced spyware known as Pegasus. Pegasus and the accompanying exploit used to install it are developed by the controversial vendor NSO. The exploit offered in the attack Apple warned about last week was sent through an iMessage call and worked even if the user took no action.
These vulnerabilities are tracked as CVE-2023-41064 and CVE-2023-41061 and have some similarities with the libwebp vulnerability. First, both provide remote code execution capabilities via malicious images. And second, both were discovered by a team comprised of Apple’s security engineering and architecture team and Citizen Lab, a research group at the University of Toronto that tracks nation-state cyberattacks. It is currently unknown how CVE-2023-41064 and CVE-2023-41061 are related to CVE-2023-4863.
Three different zero-days were revealed on Tuesday, two from Microsoft and one from Adobe. One of them, CVE-2023-36761, allows hackers to obtain sensitive information such as password hashes by sending a malicious Word document to a target. Another Microsoft vulnerability exists in the Streaming Service Proxy in supported versions of Windows. Adobe’s vulnerability, tracked as CVE-2023-26369, exists in Acrobat and Reader and has a severity rating of 7.8 out of 10. This could allow an attacker to execute remote code.
Two other zero-days reported in the past two weeks are:
- CVE-2023-20269 in Cisco’s Adaptive Security Appliance Software and its Firepower Threat Defense. The company revealed on Monday that it was being used in ransomware attacks.
- CVE-2023-35674, Android vulnerability allows hackers to gain elevated privileges.
On September 1, a researcher posted an exploit for an unpatched vulnerability in Atlas VPN on Reddit. This allows an attacker to know the IP address of the person using her VPN. Atlas representatives did not immediately respond to an email asking about the status of the vulnerability.
Yet another zero-day may have been exploited in recent weeks. Researchers at Google’s Project Zero announced last week that hackers backed by the North Korean government are exploiting the project to target security researchers. The researchers did not name the affected software.
With 70 zero-days discovered so far this year, 2023 is on track to surpass the previous record of 81, set in 2021. The most effective measure is to install security patches as soon as they become available. Of course, this advice is of no use to targets that were attacked before the exploit became publicly known and a patch was issued. We need to repeat preventive advice.
- Be suspicious of links, especially those in emails or messages, and never follow prompts to install or update apps or browser extensions.
- Use a firewall, such as Windows Firewall or macOS’ LuLu Firewall. These programs cannot protect you from infection by zero-day exploits or other types of exploits. But firewalls can stop the damage that installed malware can cause by requiring newly installed apps to receive permission the first time they attempt an outgoing connection on the Internet.
- Run your antivirus software.
Another thing to remember about zero-days is that most of us are unlikely to be targeted by them. Exploitation of this class of vulnerabilities often costs him $1 million or more, and once they are published on the Internet, they typically only take a few days to become public knowledge and lose their value. This means that zero-days are likely to be used against only a small number of targets deemed to be of high value, such as government officials, political dissidents, large corporations, and holders of large amounts of cryptocurrencies.