The US Cybersecurity and Infrastructure Security Agency (CISA) has ordered U.S federal agencies to patch security vulnerabilities on products from Apple, Microsoft, IBM, Google, Cisco, and many other companies by November 17, 2021. The agency has published a list of 306 vulnerabilities that are being exploited in the wild on some devices as old as 2010.
Recently, the U.S. Commerce Department’s Bureau of Industry and Security (BIS) declared an Israeli company NSO a national security risk because of its spyware Pegasus used to hack iPhone and Android devices. In addition, Russian company Positive Technologies, and Computer Security Initiative Consultancy PTE. LTD. for Singapore were also added to the Entity List because they “traffic in cyber tools used to gain unauthorized access to information systems, threatening the privacy and security of individuals and organizations worldwide.”
CISA says federal agencies and private companies should apply Apple security patches to eliminate the risk of attacks
CISA orders US federal civilian agencies to apply security patches for vulnerabilities found this year by November 17, 2021. And older vulnerabilities to be patched by May 3, 2022. Furthermore, the agency strongly recommended that private companies update their Apple and third-party devices to the latest security fixes as well. CISA Director Jen Easterly said:
“Every day, our adversaries are using known vulnerabilities to target federal agencies. As the operational lead for federal cybersecurity, we are using our directive authority to drive cybersecurity efforts toward mitigation of those specific vulnerabilities that we know to be actively used by malicious cyber actors.
The Directive lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyber attacks.
While this Directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities. It is therefore critical that every organization adopt this Directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog.”
Although Apple markets iPhones’ as the safest device which can not be hacked easily, several reports highlighted that Pegasus by NSO was used by governments from around the world to hack iPhones of journalists, Human Rights activists, and rival politicians via zero-day exploits. Apple says that it releases security patches immediately but some cyber security researchers have shared disappointing experiences of the company’s bug bounty program. They reported that Apple not only took too long to respond to submitted zero-click exploits, it also took too long to patch them. Therefore, to mitigate the threat of attacks, companies like Apple must take security vulnerabilities seriously.