End users, admins, and researchers better brace yourselves: The number of apps being patched for zero-day vulnerabilities has skyrocketed this month and is likely to get worse in the following weeks.
People have worked overtime in recent weeks to patch a raft of vulnerabilities actively exploited in the wild, with offerings from Apple, Microsoft, Google, Mozilla, Adobe, and Cisco all being affected since the beginning of the month. The total number of zero-days in September so far is 10, compared with a total of 60 from January through August, according to security firm Mandiant. The company tracked 55 zero-days in 2022 and 81 in 2021.
The number of zero-days tracked this month is considerably higher than the monthly average this year. A sampling of the affected companies and products includes iOS and macOS, Windows, Chrome, Firefox, Acrobat and Reader, the Atlas VPN, and Cisco’s Adaptive Security Appliance Software and its Firepower Threat Defense. The number of apps is likely to grow because a single vulnerability that allows hackers to execute malicious code when users open a booby-trapped image included in a message or web page is present in possibly hundreds of apps.
This vulnerability, tracked as CVE-2023-4863, originates in a widely used code library known as libwebp, which Google created more than a decade ago to render the then-new WebP graphics format. Libwebp, in turn, is incorporated into roughly 70 downstream libraries that are included in other libraries and popular apps. A single affected intermediate library known as Electron, for instance, runs in Microsoft Teams, Slack, Skype, Discord, and the desktop version of the Signal messenger, to name a few. Electron developers fixed the bug on Tuesday.
Two different zero-days that have been keeping iOS and macOS users busy, meanwhile, were recently used in the wild to infect targets with an advanced piece of spyware known as Pegasus. Pegasus and the accompanying exploits used to install it are developed by the controversial seller NSO. The exploits delivered in attacks Apple warned of last week were transmitted through iMessage calls and worked even when a user took no action.
These vulnerabilities, tracked as CVE-2023-41064 and CVE-2023-41061, have a couple things in common with the libwebp vulnerability. For one, they both provide remote code execution capabilities through malicious images. And for another: they were both discovered by a team comprising Apple’s Security Engineering and Architecture team and Citizen Lab, a research group at the University of Toronto that tracks nation-state cyberattacks. It’s currently unknown what relationship, if any, CVE-2023-41064 and CVE-2023-41061 have with CVE-2023-4863.
Three different zero-days came to light on Tuesday, two from Microsoft and one from Adobe. One of them, CVE-2023-36761, allows hackers to obtain sensitive information such as password hashes by sending a target a malicious Word document. The other Microsoft vulnerability resides in the Streaming Service Proxy in supported versions of Windows. The Adobe vulnerability, tracked as CVE-2023-26369 and residing in Acrobat and Reader has a severity rating of 7.8 out of a possible 10. It allows attackers to remotely execute code.
Two other zero-days reported in the past two weeks include:
- CVE-2023-20269 in Cisco’s Adaptive Security Appliance Software and its Firepower Threat Defense. The company revealed on Monday that it is being exploited in ransomware attacks.
- CVE-2023-35674, a vulnerability in Android that allows hackers to gain elevated privileges.
On September 1, a researcher took to Reddit to post an exploit for an unpatched vulnerability in the Atlas VPN. It allows an attacker to learn the IP address of people using the VPN. Atlas representatives didn’t immediately respond to an email asking about the status of the vulnerability.
It’s possible that yet another zero-day has come under exploitation in recent weeks. Researchers with Google’s Project Zero said last week that hackers backed by the North Korean government are exploiting it in attacks targeting security researchers. The researchers didn’t name the affected software.
With 70 zero-days uncovered so far this year, 2023 is on track to beat the previous record of 81 set in 2021. The most effective remedy is to install security patches as soon as they become available. Of course, that advice does nothing for the targets that are struck before the exploits become publicly known and patches have been issued. We have to repeat our precaution advice:
- Be suspicious of links, particularly those in email or messages, and don’t ever follow prompts that follow to install or update apps or browser extensions.
- Use a firewall such as the one in Windows or the LuLu firewall for macOS. These programs won’t prevent you from being infected by zero-days or other types of exploits. But by requiring newly installed apps to receive permission the first time they try to make an outgoing connection on the Internet, firewalls can contain the damage any installed malware can do.
- Run antivirus software.
One other thing to remember regarding zero-days: Most of us aren’t likely to be targeted by one. Exploits for this class of vulnerability often cost $1 million or more, and once they’re unleashed on the Internet, it’s generally only a matter of days until they become public knowledge and lose their value. That means zero-days are likely to be used only on a very small base of targets deemed to be high-value, such as government officials, dissidents, large companies, and holders of large amounts of cryptocurrency.