CISA Warns of Actively Exploited Bugs in Chrome and Excel Parsing Library

Cyber Threat Summary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities catalog. The first is CVE-2023-7101, affecting the open-source Perl library Spreadsheet::ParseExcel, with a remote code execution flaw. This vulnerability was exploited by Chinese hackers in late December, targeting Barracuda ESG appliances. Mitigations were applied, and an update was released on December 29, 2023.

The second is CVE-2023-7024, a heap buffer overflow issue in WebRTC in Google Chrome, discovered by Google's Threat Analysis Group. The flaw was fixed through an emergency update on December 20, marking the eighth zero-day vulnerability addressed in Chrome for 2023. CISA has given federal agencies until January 23 to mitigate these vulnerabilities according to vendor instructions or cease using the affected products. The Known Exploited Vulnerabilities catalog by CISA is an important resource for organizations worldwide for better vulnerability management and prioritization.

Security Officer Comments:
The flaw was discovered by Google’s Threat Analysis Group (TAG) and received a fix via an emergency update on December 20, in versions 120.0.6099.129/130 for Windows and 120.0.6099.129 for Mac and Linux. This was the eighth zero-day vulnerability Google fixed in Chrome for 2023, underscoring the persistent effort and time hackers devote to finding and exploiting flaws in the widely used web browser.

Suggested Correction(s):
CISA's KEV catalog is a valuable resource for organizations across the globe that aim at better vulnerability management and prioritization.