CISA Orders Federal Agencies To Fix Exploited Google And Adobe Flaws

The US Cybersecurity and Infrastructure Security Agency (CISA) requires federal agencies to patch actively exploited vulnerabilities in Google Chrome and the Adobe Commerce and Magento platforms by March 1.

The agency added the two actively exploited vulnerabilities to its Catalog of Known Exploited Vulnerabilities, along with seven other flaws. The catalog was introduced in November as a way to push federal civilian agencies to apply patches — like those for the Log4j flaw — in a “more aggressive” timeline.

“These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose a significant risk to the federal enterprise,” according to CISA in its Tuesday alert.

One of the actively exploited vulnerabilities is a high-severity use-after-release flaw (CVE-2022-0609) in the Animation component of Google Chrome. In a Monday Security Advisory, Google said it was aware of reports that an exploit for the flaw exists in the wild and that a fix is ​​available on build 98.0.4758.102 for Windows, Mac, and Linux. which will be deployed in the next few days. The flaw was discovered by Adam Weidemann and Clément Lecigne of Google’s Threat Analysis Group earlier in February.

The other actively exploited flaw exists in Adobe’s Commerce platform and in Magento, an open source platform that offers a hosted and self-hosted CMS for online stores. The issue stems from a critical invalid validation vulnerability (CVE-2022-24086) which could lead to the execution of arbitrary code. Adobe said the flaw has been exploited in the wild in “very limited attacks” targeting Adobe Commerce merchants.

“A remote, unauthorized attacker can send a malicious request to the application and execute arbitrary code on the target server,” Pieter Arntz, malware researcher at Malwarebytes, said in an analysis of the vulnerability. “Successful exploitation of this vulnerability could result in complete compromise of the affected system.”

A number of older vulnerabilities have also been added to CISA’s catalog, including Microsoft vulnerabilities in Internet Explorer (CVE-2019-0752), Windows VBScript Engine (CVE-2018-8174), Word (CVE-2014-1761) and the graphics component ( CVE-2013-3906). Federal agencies have until August 15 to patch these vulnerabilities, but CISA hopes the catalog will spur companies to apply the updates as well.

“While BOD 22-01 only applies to FCEB agencies, CISA urges all organizations to reduce their exposure to cyberattacks by prioritizing the timely remediation of catalog vulnerabilities as part of their risk management practice. vulnerabilities,” according to CISA.

Leave a Comment