The Cybersecurity and Infrastructure Security Agency (CISA) has added five vulnerabilities to its Known Exploited Vulnerabilities Catalog, to include two Apple, two Microsoft and one OpenSSL vulnerability.
An attacker could exploit these vulnerabilities to take control of impacted systems.
The two Apple ‘Type Confusion’ vulnerabilities (CVE-2021-1789 and CVE-2019-8506) affect multiple Apple products and were patched.
On January, 2021, Apple fixed CVE-2021-1789 in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, tvOS 14.4, watchOS 7.3, iOS 14.4 and iPadOS 14.4, Safari 14.0.3.
On March, 2019, Apple patched CVE-2019-8506 in iOS 12.2, tvOS 12.2, watchOS 5.2, Safari 12.1, iTunes 12.9.4 for Windows, iCloud for Windows 7.11.
The Microsoft and OpenSSL vulnerabilities were originally fixed in 2014, with some updates in more recent years.
What is also interesting is on February 11, 2014, FireEye identified CVE-2014-0322 being served up from the U.S. Veterans of Foreign Wars’ website (vfw[.]org) as part of “Operation SnowMan.”
“We believe the attack is a strategic Web compromise targeting American military personnel amid a paralyzing snowstorm at the U.S. Capitol in the days leading up to the Presidents Day holiday weekend,” FireEye wrote in a blog post at the time.
A full list of the most recently added exploited vulnerabilities as of May 4, 2022:
| CVE | Vulnerability Name |
|---|---|
| CVE-2021-1789 | Apple Multiple Products Type Confusion Vulnerability |
| CVE-2019-8506 | Apple Multiple Products Type Confusion Vulnerability |
| CVE-2014-4113 | Microsoft Win32k Privilege Escalation Vulnerability |
| CVE-2014-0322 | Microsoft Internet Explorer Use-After-Free Vulnerability |
| CVE-2014-0160 | OpenSSL Information Disclosure Vulnerability |