CISA Warns: Critical Exploits Targeting Microsoft and Twilio Authy Discovered in the Wild
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding two actively exploited vulnerabilities affecting Microsoft Internet Explorer and Twilio Authy, a popular two-factor authentication app. The vulnerabilities, identified as CVE-2012-4792 and CVE-2024-39891, pose significant risks to users and organizations.
Microsoft Internet Explorer Flaw
The first vulnerability, CVE-2012-4792 (CVSS 9.3), resurfaces a decade-old “use-after-free” flaw in Microsoft Internet Explorer versions 6 through 8. Despite these versions being obsolete, their continued use in legacy systems makes them attractive targets for attackers. Successful exploitation could lead to remote code execution, allowing attackers to take control of affected systems.
Twilio Authy: Two-Factor Authentication Under Threat
The second vulnerability, CVE-2024-39891 (CVSS 5.3), impacts Twilio Authy, a widely used two-factor authentication (2FA) app. This flaw allowed unauthorized access to phone number data, potentially aiding malicious actors in targeted phishing (smishing) and SIM swapping attacks. While a patch has been released, the leaked data remains a concern, as it could be exploited for malicious purposes.
CISA Urges Immediate Action
CISA has added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, highlighting their active exploitation and the urgent need for remediation. Federal agencies have been given a deadline of August 13, 2024, to patch their systems.
Recommendations for Users and Organizations
- Patch Immediately: Apply the latest security updates for Microsoft Internet Explorer and Twilio Authy.
- Disable Legacy Browsers: If possible, discontinue the use of outdated Internet Explorer versions.
- Strengthen Security: Enable strong passwords, multi-factor authentication, and stay vigilant against phishing attempts.
- Monitor Accounts: Keep a close eye on financial and sensitive accounts for any suspicious activity.
