2020-08 Patch Tuesday ! 2 Zero days fixed in wild
- Microsoft has plugged 120 flaws, two of which are being exploited in attacks in the wild
- Adobe has delivered security updates for Adobe Acrobat, Reader and Lightroom
- Apple has released updates for iCloud on Windows
- Google has updated Chrome with security fixes
Microsoft has released patched for 120 CVEs, 17 of which are critical and the rest important. One (CVE-2020-1464) is publicly known and being actively exploited, and another one (CVE-2020-1380) is also under attack.
CVE-2020-1464 allows an attacker to bypass security features intended to prevent improperly signed files from being loaded, and affects all supported versions of Windows, so patching it should definitely be a priority.
“CVE-2020-1464 is proof that security organizations should not be making their patching decisions solely off the CVSS score and severity rating and instead should be approaching all the security vulnerabilities as a gap in their attack surface, welcoming any malicious player into their network,”.
“Coming in only at a CVSS of 5.3, this spoofing vulnerability has been reported exploited in both legacy and newer versions of Windows and Windows Server, which is more worrisome as 25% of connected Windows devices are still running Windows 7.”
CVE-2020-1380 is a bug in Internet Explorer’s scripting engine and allow code execution on a system running a vulnerable version of the browser.
“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine,” Microsoft explained.
“The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.”
This flaw is also under active attack, so IE users should be protected against it as soon as possible
Trend Micro Zero Day Initiative’s Dustin Childs also singled out CVE-2020-1472, a NetLogon Elevation of Privilege Vulnerability, as very important to patch quickly.
“A vulnerability in the Netlogon Remote Protocol (MS-NRPC) could allow attackers to run their applications on a device on the network. An unauthenticated attacker would use MS-NRPC to connect to a Domain Controller (DC) to obtain administrative access,”
“[The patch released today] enables the DCs to protect devices, but a second patch currently slated for Q1 2021 enforces secure Remote Procedure Call (RPC) with Netlogon to fully address this bug. After applying this patch, you’ll still need to make changes to your DC.
“There are many non-Windows device implementations of the Netlogon Remote Protocol (also called MS-NRPC). To ensure that vendors of non-compliant implementations can provide customers with updates, a second release that is planned for Q1 2021 will enforce protection for all domain-joined devices,” Microsoft has added.
Other critical vulnerabilities have been fixed in the .NET Framework, Media Foundation, Microsoft Edge, the Windows Codecs Library, the MSHTML Engine, the Scripting Engine, Windows Media, and Outlook.
The provided Outlook updates should also be quickly implemented, as they fix two vulnerabilities – a RCE and information disclosure bug – that could be triggered from the Preview Pane.
As announced last week, Microsoft has also delivered today a fix for CVE-2020-1337, a privilege escalation vulnerability in the Windows Print Spooler service, which affects all the Windows releases from Windows 7 to Windows 10 (32 and 64-bit). The researchers who unearthed it have promised to publish a PoC exploit this week.
Keep updated your machines to escape from these exploits untill they go wild …