CISA tells agencies to patch recent Windows 10 zero-day abused by Emotet botnet

CISA has ordered federal civilian agencies to patch two zero-days disclosed this week in products like Google Chrome and Windows 10.

The urgency comes as the two vulnerabilities have already been exploited even before Google and Microsoft released patches on Monday and Tuesday, respectively.

While details about the attacks against Chrome users are not available, Microsoft said the Windows 10 zero-day was under large-scale abuse by several malware botnets.

In these attacks, users would receive a malicious AppX installer via email that, when executed, would grant attackers access to run code on their systems.

Microsoft said it observed phishing campaigns abuse this vulnerability to install malware strains like Emotet, TrickBot, and BazarLoader, all of which have been seen over the past year as staging steps for deploying ransomware.

"These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise," CISA said on Wednesday.

As a result, CISA added the two zero-days to a database of known actively exploited vulnerabilities it launched last month and has given federal agencies until December 29 to patch the two bugs.

The Chrome zero-day is tracked as CVE-2021-4102, while the Windows 10 AppX zero-day is tracked as CVE-2021-43890.

This is the second update to CISA's known-exploited vulnerabilities database this week after CISA told federal agencies on Monday to patch the Log4Shell vulnerability by December 24 as well.