CISA adds Microsoft, Apple bugs to exploited vulnerabilities catalog

The Cybersecurity and Infrastructure Security Agency added three bugs to its catalog of known exploited vulnerabilities this week, highlighting issues with popular products from Microsoft and Apple.

On Monday, CISA added two Apple vulnerabilities to its list, giving federal civilian agencies until May 1 to patch the issues.

Apple released patches for the bugs — CVE-2023-28205 and CVE-2023-28206 — on Friday after they were reported by Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab.

The two organizations released a report last week about a spyware vendor selling exploits for Google, Apple and Samsung devices to governments.

Both of the vulnerabilities affect macOS, iPhone 8 and later, all models of the iPad Pro, iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.

In its advisory, Apple said it was “aware of a report that this issue may have been actively exploited.”

Mobile security company Zimperium’s Krishna Vishnubhotla explained that CVE-2023-28206 revolves around the OSurfaceAccelerator framework – a tool used by many iOS and macOS applications that need high-performance graphics processing, such as video editors, games, and augmented reality applications.

“If IOSurfaceAccelerator is exploited, it could potentially allow an attacker to gain unauthorized access to sensitive data or execute malicious code on an iOS device,” Vishnubhotla said.

“Since IOSurfaceAccelerator provides low-level access to graphics hardware resources, exploiting a vulnerability in the framework could give an attacker the ability to manipulate graphics resources, intercept or modify data, or even cause the device to crash.”

Vishnubhotla noted that the exposure of the vulnerability could go beyond macOS due to how many iOS apps rely on the feature.

The other bug, CVE-2023-28205, affects WebKit, a core software component of macOS and iOS that is responsible for rendering web pages and executing JavaScript code in the Safari web browser and other applications.

Like IOSurfaceAccelerator, Vishnubhotla said WebKit is used widely across mac and iOS, posing significant risk to users because exploitation would allow attackers to take control of the device's web browsing capabilities and steal sensitive user data, such as login credentials and other personal information.

Several other experts noted that because the bugs were reported together by the same researchers, it is likely they were used in conjunction with one another.

Microsoft’s bug

On Tuesday, CISA added Microsoft’s CVE-2023-28252 to its list, ordering civilian agencies to patch the bug by May 2.

The bug, which was among the more than 100 vulnerabilities included in Microsoft’s Patch Tuesday release for April, caused alarm among security researchers who called it the most serious unveiled on Tuesday.

Dustin Childs of Trend Micro’s Zero Day Initiative said the issue affects the Windows Common Log File System Driver (CLFS), which effectively allows users to record a series of steps required for some actions so that they can be either reproduced accurately in the future or undone.

“This is the one bug under active attack this month, and if it seems familiar, that’s because there was a similar 0-day patched in the same component just two months ago. To me, that implies the original fix was insufficient and attackers have found a method to bypass that fix,” Childs said.

“As in February, there is no information about how widespread these attacks may be. This type of exploit is typically paired with a code execution bug to spread malware or ransomware. Definitely test and deploy this patch quickly.”

Cloud security company Automox’s Gina Geisel said the zero-day affects versions of Windows 10, Windows 11, as well as Windows Server 2008, 2012, 2016, 2019, and 2022.

Geisel explained that the vulnerability has a low level of complexity and requires relatively few privileges to exploit. The bug “leverages existing system access to actively exploit a device and is a result of how the CLFS driver interacts with objects in memory on a system,” she said.

Researchers from Kaspersky said the vulnerability was exploited by hackers attempting to spread the Nokoyawa ransomware. The controversial security company said they found the vulnerability in February after it was used in attacks on several small and medium-sized businesses in the Middle East, Asia and North America.

Trend Micro researchers said Nokoyawa uses many tactics similar to the now defunct Hive ransomware group and Play ransomware actors, who recently attacked the city of Oakland.

Kaspersky researchers said they previously saw versions of Nokoyawa that resembled variants of the JSWorm ransomware but the version used in the exploitation of CVE-2023-28252 was distinct from the others in terms of its codebase.

The attackers used the vulnerability to elevate their system privileges and steal credentials from a database.

Bharat Jogi, director of vulnerability and threat research at Qualys, told The Record that CVE-2023-28252 allows an attacker to gain the highest system-level privileges on the vulnerable system.

Jogi added that this is not the first time that this specific driver has been an attractive target for threat actors. In September 2022, Microsoft fixed another vulnerability – CVE-2022-37969, which was known to be exploited in the wild – which affected the same component.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
What is Threat Intelligence
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.