The United States Cybersecurity and Infrastructure Security Agency (CISA) has added three recently disclosed flaws in Apple operating systems to its Known Exploited Vulnerabilities Catalogue, as they carry “significant risk to the federal enterprise”.
As such, US government agencies of the federal civilian executive branch are required to patch the vulnerabilities, as per the November 2021 Binding Operational Directive 22-01.
CISA said it strongly urges all organisations to use its vulnerabilities catalogue to reduce their exposure to cyber attacks.
The agency said that vulnerabilities such as the ones affecting Apple’s web content rendering engine “are frequent attack vectors for malicious cyber actors.”
Apple, which issued patches that address the vulnerabilities last week, said unnamed threat actors were actively exploiting the flaws, but did not say who, where and when.
Two of the exploited vulnerabilities were patched with Apple’s new, out-of-band Rapid Security Response system which is used to issue urgent updates.
Apple’s Safari web browser, watchOS, tvOS, iOS, iPadOS and macOS operating systems all received the security updates.
According to BOD 22-01, agencies must deploy the patches before or on June 12 US time at the latest.