The Latest Zero-Day Vulnerabilities From Apple, Microsoft

The tech giants this week disclosed new vulnerabilities that they said have been exploited in cyberattacks.

The Latest Zero Days

While the stream of newly discovered vulnerabilities in software is never-ceasing, some vulnerabilities are more serious than others, of course. Generally vulnerabilities that are already being actively exploited are considered a priority for vendors to fix and users to update. And when it comes to disclosures of exploited zero-day vulnerabilities go, this was a busy week. Two titans of the industry, Apple and Microsoft, revealed zero-day vulnerabilities this week affecting their widely used products, and said there’s reason to believe the flaws have been exploited. The exploited Apple zero-day vulnerability affects iPhones, Macs and iPads, while the three exploited Microsoft zero-day vulnerabilities impact Office and Windows.

[Related: US Agency Urges Deployment Of Apple’s Updates For iPhones, Macs]

Apple released fixes for its vulnerability on Monday, while Microsoft released a patch for the Office and Windows zero-day vulnerabilities on Tuesday as part of its monthly release of bug fixes, popularly known as “Patch Tuesday.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week released advisories urging updates for both the Apple and Microsoft vulnerabilities, saying that in both cases, attackers could exploit the flaws to “take control” of an affected device or system.

When it comes to the ongoing issue of needing to address vulnerabilities in software, the key for organizations is to get a handle on what the actual business impact will be from any given vulnerability — and then prioritize accordingly, according to Brad Davenport, vice president of technical architecture for cybersecurity, networking and collaboration at Logicalis US. “It’s a constant prioritization game to determine what ultimately is the business impact, and then to really prioritize those things,” he said.

Often, however, the fact that a vulnerability is being actively exploited is a signal that updates should come sooner rather than later.

What follows are details on the latest zero day vulnerabilities from Apple and Microsoft.

Apple: iOS, iPadOS, macOS Vulnerability

On Monday, Apple released security fixes for iPhones, Macs and iPads after the discovery of the new vulnerability affecting the devices, which is being tracked at CVE-2023-23529. The company released iOS 16.3.1, iPadOS 16.3.1 and macOS Ventura 13.2.1 in response to the discovery of the WebKit vulnerability.

In its notes on the WebKit vulnerability, Apple said that it’s “aware of a report that this issue may have been actively exploited.” The flaw affects iPhone models as far back as iPhone 8, Macs running macOS Ventura and numerous iPad models. CISA said it’s urging administrators and users to review the information posted by Apple and “apply the necessary updates as soon as possible.”

The vulnerability has been characterized as a type confusion issue, which was addressed through “improved checks,” Apple said. It was discovered by an anonymous researcher, according to the company.

Further details on the vulnerability have been hard to come by, however. “Little evidence currently exists as to how the vulnerability was exploited, and there appears to be no publicly available exploit code,” wrote Ryan Cribelar, a vulnerability research engineer at Nucleus Security, in a blog post Tuesday.

Microsoft: Office Security Bypass Vulnerability

The first of the three exploited vulnerabilities disclosed by Microsoft affects Office and is tracked at CVE-2023-21715. It’s rated as being “important” in terms of severity by Microsoft. However, the company has offered “no info on how widespread these exploits may be,” wrote Dustin Childs of Trend Micro’s Zero Day Initiative.

According to Microsoft, an attacker could exploit the vulnerability in order to bypass the recently added Office macro policies for blocking untrusted files. Childs said the vulnerability “sounds more like a privilege escalation than a security feature bypass.” Still, “active attacks in a common enterprise application shouldn’t be ignored,” he wrote.

Cribelar wrote that “it is not clear what the execution of the exploit can allow for the attacker to achieve further,” but that the exploit “likely leads to the ability for the attacker to bypass further security features.”

Microsoft: Windows Privilege Escalation Vulnerability

The next exploited vulnerability disclosed by Microsoft affects Windows — including numerous versions of Windows Server, as well as Windows 10 and 11 — and is tracked at CVE-2023-23376. It’s rated as being “important” in terms of severity by Microsoft.

Microsoft said that a threat actor could exploit the vulnerability, which impacts the Windows common log file system driver, to gain system privileges. In other words, it could allow an attacker to “completely take over a target,” Childs wrote. Most likely, the vulnerability is being chained with a remote code execution flaw to deploy ransomware or other malware, he wrote.

“Considering this was discovered by Microsoft’s Threat Intelligence Center (aka MSTIC), it could mean it was used by advanced threat actors,” Childs wrote. “Either way, make sure you test and roll these fixes quickly.”

Microsoft: Windows Remote Code Execution Vulnerability

The final exploited vulnerability disclosed by Microsoft on Tuesday also impacts Windows — including many versions of Windows Server, along with Windows 10 and 11 — and is tracked at CVE-2023-21823. It’s rated as being “important” in terms of severity by Microsoft.

Microsoft said that an attacker could exploit the vulnerability, which affects a Windows graphics component, to gain system privileges.

The vulnerability “appears to exist due to fact that a user can trigger memory corruption due to a boundary error and execute arbitrary code from within the Graphics Driver Component in Windows,” Cribelar wrote.

Microsoft has specifically singled out the possibility of leveraging the vulnerability with OneNote, Immersive Labs’ Kevin Breen told Brian Krebs. Breen noted that there has recently been increased utilization of OneNote in targeted attacks.