CISA: Immediate patching needed for zero-days exploited for spyware distribution

Federal agencies have been urged by the Cybersecurity and Infrastructure Security Agency to remediate five of 10 zero-day vulnerabilities leveraged in two spyware campaigns by April 20, reports BleepingComputer. CISA has updated its Known Exploited Vulnerabilities catalog to include an out-of-bounds write flaw in iOS, iPadOS, and macOS, tracked as CVE-2021-30900; a use-after-free flaw in the Arm Mali GPU kernel driver, tracked as CVE-2022-38181; an unspecified flaw in the Arm GPU kernel driver, tracked as CVE-2022-22706; and use-after-free bugs in Google Chrome in the Linux kernel, tracked as CVE-2022-3038 and CVE-2023-0266, respectively. Such vulnerabilities were reported by Google's Threat Analysis Group to have been used in attacks since November, which involved different exploit chains for spyware deployment in iOS and Android devices, while different zero- and n-day flaws have been used to target Samsung Android phones with spyware. "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," said CISA.