Fresh vulnerabilities exploited in the wild
This week a new batch of vulnerabilities has been discovered that is actively being exploited by hackers in the wild, at least if you follow CISA's Known Exploited Vulnerabilities Catalog. As expected, most are related to Microsoft's products, as disclosed in this month's Patch Tuesday.
However, the novelty is a zero-day exploit in Apple's Webkit engine (CVE-2023-23529), the component used to power the Safari browser in Apple products (from smartphones, over tablets to laptops). This means the exploit mechanism relies on malicious code delivered as part of a web page, implying drive-by downloads as possible vectors to deploy mobile spyware on iPhone or other Apple devices. Unfortunately, Apple has not shared any details on the impact or exploitability of this one, so no true risk assessment can be made.
Apple mobile phone or laptops are usually not under the patch management oversight usually reserved for Windows devices, so organizations with no MDM solution will have to carefully plan steering users to patch this bug as soon as possible.
On the Microsoft front, this week marked the disclosure of 3 actively exploited vulnerabilities, all of them exploitable only after the attacker has gained initial access to a device, meaning some will become a standard part of attackers' exploit toolkits.
CVE-2023-23376 is an elevation of privilege (EoP) vulnerability in Windows Common Log File System (CLFS) Driver, a logging service used by kernel-mode and user-mode applications. This vulnerability can be exploited in order to elevate a user to SYSTEM privileges.
Similar EoP vulnerabilities in CLFS have been patched during 2022 and were also being exploited in the wild (as reported by NSA and Crowdstrike, a security vendor).
CVE-2023-21715 is a Microsoft Office vulnerability which allows a security feature bypass. To be exploited, the vulnerability requires a user to download and open an attacker-created Office file on a vulnerable system. This one will certainly make it into exploit kits, similar to previous security feature bypass vulnerabilities, such as the one bypassing Mark-of-the-Web (MotW).
Finally, CVE-2023-21823 is an EoP vulnerability in the Microsoft Windows Graphics Component. This one also requires access to a vulnerable system to execute a specially crafted application that would grant the ability to run processes in an elevated context.
The Microsoft vulnerabilities are broadly just reiterations of previous seen vulnerabilities: no serious wormable potential, but rather an addition to an arsenal of attack techniques, which should be mostly addressed with breach prevention measures: strong authentication as well as endpoint detection and response capabilities.
Apple's Webkit problem on the other hand is something to watch carefully, especially if related vulnerabilities surface in the near future. In the meantime, patching or at least coaching users to patch should be a priority.