Plenty to keep the security team busy: the US cybersecurity authority is urging everyone to patch a number of software flaws, including some older ones in Microsoft’s Silverlight plug-in and Adobe Flash Player.
The Cybersecurity And Infrastructure Security Agency (CISA) added three batches of must-fix bugs to its catalog of known exploited software vulnerabilities this week. The first covered 21 bugs, the second 20 known exploited bugs and the third covers a further 34. US federal agencies are required to patch the flaws by CISA’s deadline.
Not all of these flaws are at the cutting edge of technology: this lot of patches also includes very old bugs in software like Microsoft Silverlight, which reached end of support in October 2021, and Adobe’s dead Flash Player plugin. All browsers have dropped support for Flash and Flash content, and Microsoft removed Flash from Windows last year.
There’s a chance Silverlight may still be floating around government systems as internal legacy applications or websites. Silverlight applications, for example, will still work in IE Mode in modern Edge.
CISA’s latest updates to its known exploited vulnerabilities catalog includes Flash flaws disclosed in 2016 and 2015 and Silverlight flaws dating back to 2013. It also includes older flaws affecting WhatsApp, Kaseya, Mozilla Firefox, Apple’s iOS, and Google Chrome.
There are also a number of Windows flaws disclosed between 2015 and 2018, several Internet Explorer bugs from 2014, a Linux kernel privilege escalation flaw from 2014, and several Oracle Java remote code execution bugs dating back to 2010.
Despite the age of some of the flaws, it is known that malware operators frequently use exploits for old bugs with the knowledge that some software isn’t patched. HP’s threat researcher this week warned that attackers behind the Snake keylogger were using exploits for a bug in Microsoft’s legacy Equation Editor software (CVE-2017-11882) that was disclosed in 2017. Attackers jumped on that flaw after Microsoft patched it in late 2017. Microsoft removed its functionality from Word in 2018, yet it remains a popular bug to exploit today.
One of the newer ‘must patch’ bugs disclosed in 2022 affected Cisco’s IOS XR software (CVE-2022-20821). Cisco disclosed it last week and gave it a medium severity rating, noting it was aware of “attempted exploitation” of it in the wild in May.
Regardless of the age of most of the bugs, CISA notes that “these types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.”