The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued more alerts related to security vulnerabilities exploited in attacks targeting Microsoft Windows, Adobe products, and Mozilla software.
The fresh alerts come alongside a CISA alert that was sent out for administrators and users to update Apple products, including iPhones that use iOS software.
“Microsoft has released updates to address multiple vulnerabilities in Microsoft software,” it says. “An attacker can exploit some of these vulnerabilities to take control of an affected system.” A similar bulletin was released for Mozilla and Adobe.
CISA, which is operated by the Department of Homeland Security, said it advises users to review Microsoft’s February 2023 Security Update Guide and Deployment Information and “apply the necessary updates.”
According to Microsoft, it is patching three previously exploited vulnerabilities: CVE-2023-21715, CVE-2023-23376, and CVE-2023-21823. The February 2023 patch fixes those, the company says.
“The attack itself is carried out locally by a user with authentication to the targeted system. An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer,” Microsoft says.
One of the bugs, according to security expert Dustin Childs with Trend Micro, is likely being used “to spread malware or ransomware … considering this was discovered by Microsoft’s Threat Intelligence Center (aka MSTIC), it could mean it was used by advanced threat actors. Either way, make sure you test and roll these fixes quickly.”
Microsoft says that impacted customers will receive automatic updates. But those who have disabled automatic updates can get them via the Microsoft Store by going to Library, Get updates, then click Update all. Windows 10 users can also head to the Settings menu, then go to the Update & Security section before clicking on the update, which generally requires a restart.
For Adobe, CISA advises users to enable updates for After Effects, Connect, FrameMaker, Bridge, Photoshop, InDesign, Premiere Rush, Animate, and Substance 3D Stager. Several of these patches are deemed as “critical” in terms of severity, including the often-used Adobe Photoshop and Adobe InDesign.
“Probably the most interesting fix is for PhotoShop. This patch fixes five bugs, three of which are rated Critical. An attacker could get arbitrary code execution if they can convince a user on an affected system to open a malicious file,” Childs wrote in a blog post. “This is the same scenario for Premier Rush, which corrects two Critical-rated code execution bugs.”
Mozilla, meanwhile, also released security updates to address vulnerabilities in Firefox 110, according to CISA. The agency advises users and administrations to look into Mozilla’s security advisories for Firefox 110 and Firefox ESR 102.8.
CISA also called on users to update their Apple iPhones, MacBooks, and other products due to similar vulnerabilities. Apple’s updates include iOS 16.3.1, iPadOS 16.3.1, and macOS’s Ventura 13.2.1, while the firm is rolling out Safari 16.3.1 to older Apple operating systems—including macOS Big Sur and macOS Monterey.
“Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit these vulnerabilities to take control of an affected device,” CISA said.
It includes updates for Safari 16.3.1, iOS 16.3.1 and iPadOS 16.3.1, and macOS 13.2.1, according to the notice. On Apple’s website, the firm says the fix is warranted because “an app may be able to execute arbitrary code with kernel privileges,” and another allows for “processing maliciously crafted web content may lead to arbitrary code execution.