The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a Binding Operational Directive, requiring federal agencies to apply 24 Apple security patches.
The deadline for some of these is November 17, less than two weeks from now.
The directive is mandatory for federal agencies, and is recommended to all organizations. The Record notes that Apple is one of a number of companies whose patches must be applied.
The directive says that “it is essential to aggressively remediate known exploited vulnerabilities.”
The US Cybersecurity and Infrastructure Security Agency has established today a public catalog of vulnerabilities known to be exploited in the wild and has issued a binding operational directive ordering US federal agencies to patch affected systems within specific timeframes and deadlines.
The catalog – available online here – currently lists 306 vulnerabilities, with some as old as 2010, that are still being exploited in the wild.
This includes vulnerabilities for products from Cisco, Google, Microsoft, Apple, Oracle, Adobe, Atlassian, IBM, and many other companies, small and large alike.
For the vulnerabilities disclosed this year (with a CVE code of CVE-2021-*), CISA has ordered US federal civilian agencies to apply patches by November 17, 2021.
For older vulnerabilities, agencies have to patch systems by May 3, 2022.
“These vulnerabilities pose significant risk to agencies and the federal enterprise. It is essential to aggressively remediate known exploited vulnerabilities to protect federal information systems and reduce cyber incidents,” CISA said in a binding operational directive today.
CISA Director Jen Easterly says that federal agencies are being targeted on a daily basis.
The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy. The federal government must improve its efforts to protect against these campaigns by ensuring the security of information technology assets across the federal enterprise.
Vulnerabilities that have previously been used to exploit public and private organizations are a frequent attack vector for malicious cyber actors of all types. These vulnerabilities pose significant risk to agencies and the federal enterprise. It is essential to aggressively remediate known exploited vulnerabilities to protect federal information systems and reduce cyber incidents.
You can see the full list of vulnerabilities here.
Every day, our adversaries are using known vulnerabilities to target federal agencies. As the operational lead for federal cybersecurity, we are using our directive authority to drive cybersecurity efforts toward mitigation of those specific vulnerabilities that we know to be actively used by malicious cyber actors.