Last week saw the addition of 39 known exploited cybersecurity vulnerabilities to the CISA catalogue, bringing the total added in June so far to 40. The Cybersecurity and Infrastructure Security Agency (CISA), a branch of the US government, released an alert on Wednesday, to make people aware of the threats posed by these vulnerabilities, which they described as a “significant risk”. Big names such as Google, Adobe and Microsoft are amongst the products and software identified as having actively exploited vulnerabilities in this list.  

Google 

Google’s Chromium V8 Engine has been found to have 8 new actively exploited vulnerabilities. Linux, Windows, Mac, and Android users of Google Chrome were all at risk of having an out-of-bounds memory vulnerability exploited, tagged as CVE-2016-5198. The affected versions of Chrome included incorrect assumptions that allowed read/write operations to be performed by a remote attacker, ultimately resulting in code execution through a specially crafted HTML page. Chrome users on these operating systems were also susceptible to a type confusion vulnerability CVE-2017-5070, and a memory corruption vulnerability CVE-2017-5030 , which would also allow remote attackers to execute code inside a sandbox via a HTML page. CVE-2018-17480 is an out-of-bounds write vulnerability, where out-of-bounds JavaScript can potentially allow a remote attacker to do the same, as is also true with remote code execution vulnerability CVE-2018-17463. Another out-of-bounds write vulnerability, CVE-2019-5825, lets remote attackers potentially exploit heap corruption through a purposely designed HTML page, which integer overflow vulnerability CVE-2018-6065 also exploits. Denial of service vulnerability CVE-2016-1646 utilises the Array.prototype.concat implementation in builtins.cc which can cause an out-of-bounds read due to some element data types not being considered correctly.  

Chrome should update automatically, but you can check which version you are running by using the burger menu to enter the settings, then go to ‘About Chrome’. This will display your current Chrome version, and usually this will prompt the download of any available updates. Chrome needs to restart after updating so be sure not to do this when you have any open tabs you do not want to lose. At the time of publishing the current Chrome version is 102.0.5005.115, update to this version to ensure you have received patches to all the above vulnerabilities. 

Adobe 

7 cybersecurity vulnerabilities were found to be actively exploited in Adobe Acrobat and Reader. A double free vulnerability tagged as CVE-2018-4990 allowed attackers to remotely execute arbitrary code through memory corruption. Another memory corruption vulnerability, CVE-2011-2462, can be found in the Universal 3D (U3D) component of Adobe Acrobat and Reader, which allows for remote code execution or denial of service attacks through unknown vectors. U3D also contains an array boundary issue, CVE-2009-3953, through which attackers can execute code via PDF documents. The PDF file format has been identified as a vehicle for remote code attacks in the use-after-free vulnerability CVE-2009-4324, stack-based buffer overflow vulnerability CVE-2010-2883 which also allows for denial-of-service attacks, and another buffer overflow vulnerability CVE-2007-5659, where the code is identified as being executed through JavaScript. The latter of these is thought to be encompassed in the definition of CVE-2008-0655, which tracks multiple vulnerabilities as a design flaw, and allows a hacker to design PDF file which can be printed silently any number of times. 

It was also found that there were 4 actively exploited vulnerabilities in Adobe Flash Player, which is an end-of-life product, and is no longer supported. Updates are therefore not available, and the best advice is to disconnect all end-of-life software that is still in use. However, an unspecified vulnerability CVE-2009-1862, and a memory corruption vulnerability CVE-2010-1297 were found to affect both Adobe Reader and Acrobat, and Adobe Flash Player. Both of these vulnerabilities allow attackers to either create a denial-of-service attack or execute arbitrary code, through the use of .pdf and .swf files. 

Microsoft 

The majority of the actively exploited Microsoft vulnerabilities occur in Microsoft Office, with 5 newly considered vulnerabilities being added to this list this week. Three of these are buffer-overflow vulnerabilities allowing remote code execution, tracked as CVE-2009-0563, which utilises an invalid field length crafted tag, CVE-2013-1331, which includes a PNG made by the attacker in the document to execute this code, and CVE-2010-2572, which is a vulnerability specific to Microsoft PowerPoint. An object record corruption vulnerability tagged as CVE-2009-0557 was found to affect Office files by allowing attackers to run code through a crafted Excel file containing a malformed object. This is similar to the buffer overflow vulnerability CVE-2006-2492, which utilises a malformed object pointer in Microsoft Word and Microsoft Works Suites to execute arbitrary code. 

Other Microsoft vulnerabilities were also identified as being actively exploited, such as the remote code execution vulnerability CVE-2012-0151, in which the Authenticode Signature Verification function in Microsoft Windows (WinVerifyTrust) does not validate the digest signature of a portable executable file, allowing attackers to modify the file with additional content in order to execute code. Microsoft XML Core Services has a memory corruption vulnerability tracked as CVE-2012-1889 that can also allow for remote code execution by attackers, as well as an opportunity for a denial-of-service attack through a malicious website. Microsoft Internet Explorer vulnerability CVE-2012-4969 also requires attackers to use a crafted website, in this case for a use-after-free attack through which they can execute arbitrary code. 

Other notable vulnerabilities include CVE-2022-31460, a Meeting Owl Pro hard-coded credentials vulnerability that allows hackers to activate tethering mode to connect to and infiltrate the connected network, and CVE-2022-26134, an Atlassian Confluence Server vulnerability that allowed remote code execution to be performed by an unauthenticated attacker. Cisco RV Series Routers, multiple NETGEAR devices, QNAP Photo Station, and SAP NetWeaver are also identified as software and products affected by known exploited vulnerabilities. 

In order to reduce the likelihood of suffering from one of these cyber-attacks, patches and updates should be installed as soon as possible after their release. The publishing of all the vulnerabilities on this catalogue can help to organise and prioritise the updates of software with known vulnerabilities that are being commonly exploited to ensure the greatest protection from attack.