In a second announcement of its kind in recent weeks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a security alert, noting possible vulnerabilities in Microsoft Windows, several Adobe products, and Mozilla browser software. The new alert follows CISAs alert regarding security issues for iPhones and iOS software users. The alert noted:
“Microsoft has released updates to address multiple vulnerabilities in Microsoft software,” it says. “An attacker can exploit some of these vulnerabilities to take control of an affected system.” CISA released similar announcements for Mozilla and Adobe.
To address the most recent concern, CISA, a department coordinated by the Department of Homeland Security, recommend Microsoft users review Microsoft’s February 2023 Security Update Guide and Deployment Information and “apply the necessary updates.”
Microsoft is reportedly moving to address the problem by making available a “patch” to close gaps in the three known areas of vulnerability: CVE-2023-21715, CVE-2023-23376, and CVE-2023-21823. According to Microsoft, the February 2023 patch fixes those issues.
A Microsoft statement reads: “The attack itself is carried out locally by a user with authentication to the targeted system. An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer,”
According to security expert Dustin Childs of Trend Micro, the “bug” is designed “to spread malware or ransomware … considering this was discovered by Microsoft’s Threat Intelligence Center (aka MSTIC), it could mean it was used by advanced threat actors. Either way, make sure you test and roll these fixes quickly.”
CISA noted that impacted Adobe products include After Effects, Effects, Connect, FrameMaker, Bridge, Photoshop, InDesign, Premiere Rush, Animate, and Substance 3D Stager. Adobe is making available “patches” to address “critical” security issues.
Childs noted in a blog: “Probably the most interesting fix is for PhotoShop. This patch fixes five bugs, three of which are rated Critical. An attacker could get arbitrary code execution if they can convince a user on an affected system to open a malicious file. This is the same scenario for Premier Rush, which corrects two Critical-rated code execution bugs.”
Mozilla users are advised to read their most recent “security advisories” for Firefox 110 and Firefox ESR 102.8.
CISA advises iPhone and MacBook users to update their iOS systems to 16.3.1, iPadOS 16.3.1, and macOS’s Ventura 13.2.1. Apple is also rolling out Safari 16.3.1 to fortify older Apple operating systems.