CISA warns of high-severity vulnerability in once-popular Microsoft product
Security agency adds CVE-2012-4792 to its catalogue of known vulns and warns it can "execute arbitrary code via a crafted web site"
America's cyber defense agency has updated its known exploited vulnerabilities catalogue with two CVEs: Microsoft's CVE-2012-4792 and Twillio's CVE-2024-39891.
The first of these is a high-severity Microsoft vulnerability that utilises end-of-life Internet Explorer in order to allow remote attackers to "execute arbitrary code via a crafted web site that triggers access to an object that was not properly allocated or has been deleted."
The Stack has previously reported on how a similar lapse was used in Void Banshee campaigns.
The problem should be relatively easy to fix: just stop using old software. New feature development for Internet Explorer was retired in 2022 and it is no longer supported.
"The impacted product is end-of-life and should be disconnected if still in use," CISA wrote.
While it is unknown if the new Microsoft CVE has been exploited in the wild recently, it was targeted in 2012 by China-backed cyber espionage actors in an attack against the Council on Foreign Relations and Capstone Turbine Corporation websites.
See also: Windows 'relics' zombified in Void Banshee zero-day attacks
The Twilio Authy vulnerability is significantly more recent and refers to an information disclosure bug through which unauthenticated endpoints can be exploited to provide phone number data.
"Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy," the CISA advisory noted.
The advisory also clarified that while the vulnerability had been exploited in the wild in June 2024, Authy accounts remained uncompromised.
Reportedly, thirty-three million phone numbers pulled from Authy were lacked on BreachForums, a hacking forum and marketplace.
While CISA advised users to apply vendor mitigations- and discontinue the use of products if none were made available, Twilio has stated that it has since patched the vulnerability.
The company has advised users to update their apps to the latest version, to plug the endpoint authentication error.
In an advisory relating to the catalogue updated, CISA noted that the vulnerabilities had been added based on the evidence of active exploitation.
It also noted that, "these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise."