In the News: CISA adds Excel, Chrome flaws to its exploited vulnerabilities catalog
Published originally on January 3, 2024 on SC Magazine.

The Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday placed two vulnerabilities on its Known Exploited Vulnerabilities (KEV) catalog, bugs that federal agencies must patch by Jan. 23.

The first bug — CVE-2023-7101 — is an open-source Perl library for reading information in a Microsoft Excel file called Spreadsheet::ParseExcel. It’s a general-purpose library that lets data import/export operations on Excel files, as well as run analysis and automation scripts.

The second bug — CVE-2023-7024 — was widely reported at the end of the year as a critical zero-day flaw (the eighth of 2023) that affects Google Chrome and other Chromium-based browsers such as Microsoft Edge and Opera. The flaw can let malicious attackers compromise the WebRTC component, which is used for real-time communication like video calls.

On the Google zero-day, Ashley Leonard, chief executive officer at Syxsense, said Google acknowledged how critical this vulnerability was by releasing the discovery and disclosure on Dec. 20, just one day after the Google Threat Analysis Group discovered the vulnerability. Leonard said Google also publicly stated that they were aware of in-the-wild exploits, while urging users to update their browsers to the latest version.

“Without updating, there’s no other easy mitigation to defend against the attack,” said Leonard. “In terms of broader significance, it was the eighth Chrome zero-day of 2023. We believe this highlights the increasing frequency of critical vulnerabilities in Chrome, which isn’t surprising when you consider how widely used these products are, but also indicates a potential need for stronger DevSecOps and security measures.”

Read the full story on SC Magazine.