CISA Puts Chrome and Magento Zero-Days on Must-Patch List

Written by

The US authorities have added another nine exploited vulnerabilities for federal agencies to patch, including one zero-day bug being used to hijack e-commerce sites.

The US Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities Catalog yesterday.

The most urgent patches must be applied by March 1. They relate to two zero-day vulnerabilities: an improper input validation flaw in Adobe Commerce and Magento Open Source and a use-after free vulnerability in Google Chrome.

The Adobe bug (CVE-2022-24086) was patched by the firm on Sunday after being given a CVSS score of 9.8.

Exploitable without credentials, the critical vulnerability could allow a remote attacker to execute arbitrary code on an affected system, potentially enabling digital skimming attacks on e-commerce sites that run the CMS software.

Although it claimed to have seen only “very limited” attacks in the wild, the fact that Adobe took the unusual step of issuing an out-of-band patch last weekend highlights the potential impact of exploitation.

The Chrome vulnerability (CVE-2022-0609) is the browser’s first zero-day bug of the year and is rated high severity.

It could allow a remote attacker to create a specially crafted web page, trick a user into visiting it via a phishing attack and then execute arbitrary code on their machine. Google said the update will be incorporated into version 98.0.4758.102 and rolled out over the “coming days/weeks.”

The catalog was launched in November 2021 as part of Binding Operational Directive (BOD) 22-01, designed to make civilian federal government agencies more cyber-resilient.

However, it is also recommended as best practice for all organizations to prioritize their patching efforts according to the list, given that all the bugs therein have been actively exploited in the wild.

The remaining seven on this latest updated list must be fixed by August 15 2022, according to CISA. They include another use-after free flaw in Adobe Flash Player and bugs affecting four Microsoft products: Word, Internet Explorer, Windows and Microsoft Graphics Component.

What’s hot on Infosecurity Magazine?