Federal agencies have been urged by the Cybersecurity and Infrastructure Security Agency to remediate five of 10 zero-day vulnerabilities leveraged in two spyware campaigns by April 20, reports BleepingComputer.
CISA has updated its Known Exploited Vulnerabilities catalog to include an out-of-bounds write flaw in iOS, iPadOS, and macOS, tracked as CVE-2021-30900; a use-after-free flaw in the Arm Mali GPU kernel driver, tracked as CVE-2022-38181; an unspecified flaw in the Arm GPU kernel driver, tracked as CVE-2022-22706; and use-after-free bugs in Google Chrome in the Linux kernel, tracked as CVE-2022-3038 and CVE-2023-0266, respectively.
Such vulnerabilities were reported by Google's Threat Analysis Group to have been used in attacks since November, which involved different exploit chains for spyware deployment in iOS and Android devices, while different zero- and n-day flaws have been used to target Samsung Android phones with spyware.
"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," said CISA.
Such a development comes after the vulnerability was discovered by Proofpoint to be leveraged in intrusions beginning September 28, following the release of its proof-of-concept exploit code and technical information by Project Discovery.
Attackers who successfully activated "CSS Combine" and "Generate UCSS" within Page Optimization settings could leverage the vulnerability not only to exfiltrate sensitive data but also to elevate privileges and facilitate website takeovers for further compromise, according to an analysis from Patchstack.
More widespread of the addressed bugs was a logic issue, tracked as CVE-2024-44204, which could prompt Apple's new VoiceOver feature to read credentials saved within the recently unveiled Passwords app.