microsoft and apple issue patches for zero-day vulnerabilities

Both Microsoft and Apple have released security updates for their major operating systems and the United States Cybersecurity & Infrastructure Security Agency is urging users to install these patches immediately to protect themselves from some serious zero-day vulnerabilities.

In the specific case of Microsoft (MSFT), CISA reported three vulnerabilities, one affecting the firm’s productivity software Office and two that impacted the company’s flagship operating system Windows.

Two of the weaknesses allowed bad actors to perform privilege escalations – an action that allows users with limited access to increase their permissions so they can progressively gain control over a network or device.

Meanwhile, the third weakness – the one affecting MS Office – reportedly allowed an unauthorized party to perform an authenticated attack on a system.

Microsoft has already released patches this Tuesday to fix these flaws. The gravity of the three vulnerabilities was apparently high as CISA rated them all with a 7.8 score out of a maximum of 10 for the most severe weaknesses.

Meanwhile, the CISA-listed vulnerability from Apple (AAPL) affected many of its operating systems including iOS for mobiles, iPadOS, SafariOS, and MacOS. CISA described the flaw as a “type of confusion” that may allow a third party to execute a malicious code that could result in them gaining control of the user’s device entirely

What are Zero-Day Vulnerabilities?

A zero-day vulnerability is a flaw in a system or software that has not been detected by the developer and that could be exploited by bad actors without anyone noticing. These weaknesses can be categorized depending on how vulnerable the system is to being breached or entirely overtaken by a criminal or unauthorized party.

The vendors of the software are required to issue a patch or a security update that fixes the bug once the zero-day vulnerability is detected to protect users’ data and the integrity of their systems.

Zero-day exploits are used to take advantage of these weaknesses. They can be pieces of code or malicious software created by a hacker to penetrate the system. Meanwhile, a zero-day attack is an incident that involved the use of these vulnerabilities to gain access to a network or system.

Cybercrime is On the Rise – Users Should Keep Their Systems Updated

According to eSentire’s 2022 Official Cybercrime Report, the cost of cybercrime is expected to be $8 trillion by the end of 2023. Meanwhile, data from Check Point Research indicates that the number of cyberattacks globally increased by 38% in 2022 compared to the previous year.

The most heavily attacked sectors are government, education & research, and healthcare. Installing the latest security updates from software developers is one of the recommendations made by cybersecurity experts to network administrators.

However, it may take a while for vendors to identify and patch a zero-day vulnerability and, during that period, bad actors can steal sensitive data and even hijack some major systems and ask for a ransom to liberate them.

Also read: US Authorities Take Down Ransomware-as-a-Service Website Hive

This practice is known as ransomware and many corporations have been hit by it lately as organizations continue to move most of their operations to the digital realm. According to Panda Security, ransomware was considered the top threat for corporations in 2021.

If appropriately exploited, the weaknesses identified by Microsoft and Apple can lead to ransomware incidents as privilege escalation and authenticated attacks can both be used to lock out an administrator out of a certain application or crucial infrastructure.

However, in regards to the Apple zero-day vulnerability, Ryan Cribelar from Nucleus security commented: “Little evidence currently exists as to how the vulnerability was exploited, and there appears to be no publicly available exploit code”.

Meanwhile, Cribelar also stated that there was no evidence of the existence of an exploit used to take advantage of the weaknesses identified by Microsoft in any of these three cases.

Other Related Articles: