CISA has updated its Known Exploited Vulnerabilities Catalog with eight vulnerabilities, two of which have remediation dates of February 11. 

The list includes an Apple IOMobileFrameBuffer Memory Corruption vulnerability, a SonicWall SMA 100 Appliances Stack-Based Buffer Overflow vulnerability, a Microsoft Internet Explorer Use-After-Free vulnerability, a Microsoft Windows Background Intelligent Transfer Service (BITS) Improper Privilege Management vulnerability and two GNU Bourne-Again Shell (Bash) Arbitrary Code Execution vulnerabilities.

Also: CISA adds 13 exploited vulnerabilities to list, 9 with Feb. 1 remediation date

CISA

Recommends

The best antivirus software and apps

A roundup of the best software and apps for Windows and Mac computers, as well as iOS and Android devices, to keep yourself safe from malware and viruses.

Read now

The Apple and SonicWall vulnerabilities have a remediation date for February 11, and the rest have remediation dates of July 28. 

Apple released patches for the vulnerability -- tagged as CVE-2022-22587 -- last week, noting that a malicious application may be able to execute arbitrary code with kernel privileges. Apple said it is "aware of a report that this issue may have been actively exploited" and added that it was discovered by a member of Mercedes-Benz Innovation Lab and two other researchers. 

Rapid7said earlier this month that CVE-2021-20038 -- the SonicWall vulnerability -- has a suggested CVSS score of 9.8 out of 10, explaining in a blog post that by exploiting this issue, "an attack can get complete control of the device or virtual machine that's running the SMA 100 series appliance." 

"This can allow attackers to install malware to intercept authentication material from authorized users or reach back into the networks protected by these devices for further attack. Edge-based network control devices are especially attractive targets for attackers, so we expect continued interest in these kinds of devices by researchers and criminal attackers alike," Rapid7 said. 

Vulcan Cyber CEO Yaniv Bar-Dayan said digital business has a cyber debt problem, tellingZDNetthat this latest batch of eight CVEs added by CISA "proves the adage that 'vulnerabilities age like milk.'" 

"Three of the eight vulnerabilities were first disclosed in 2014, and the average age of the CVEs added to the CISA database today is more than four years. Our IT security teams are struggling to mitigate decade-old risk, much less the threat du jour," Bar-Dayan said. 

Netenrich's John Bambenek said he understood the need to patch the iOS vulnerability quickly but questioned some of the other additions. 

"If the federal government needs another six months to patch an 8-year-old Bash shell vulnerability, then we might as well surrender our IT to North Korea now and save the taxpayers some money," Bambenek said. "What I fail to understand is why ancient vulnerabilities are put on this list with such long periods of time to remediate."

Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next

• 8 habits of highly secure remote workers
• How to find and remove spyware from your phone
• The best VPN services: How do the top 5 compare?
• How to find out if you are involved in a data breach -- and what to do next