CISA, the US Cybersecurity and Infrastructure Security Agency has listed two vulnerabilities it says must be fixed within two weeks. Both are being actively exploited. Under the Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must patch these vulnerabilities. According to CISA, “These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.”
The first is an Apple issue which is listed as CVE-2022-22587. While there is little detail on the CVE database, packet storm has three entries related to this CVE. Apple released updates for iOS and macOS on 27 Jan CISA has put a fix-by date of 11 Feb on this issue.
The second issue affects Microsoft and is listed as CVE-2022-21882. It is listed as a Win32k Elevation of Privilege Vulnerability. Microsoft included a patch for this in its January Patch Tuesday updates. The issue affects both Windows clients and Windows servers. CISA has put a fix-by date of 18 Feb on this issue.
Enterprise Times: What does this mean?
CISA is doing a good job of tracking vulnerabilities and warning of the risks they pose. Setting “patch-by” dates gives US FCEB’s a deadline to apply the relevant patches. The question is, can they? Much will depend on their current device and patch management strategies. Like many organisations, there will be users working on devices they own. Forcing patches onto those devices will be difficult.
