2020-08 Patch Tuesday ! 2 Zero days fixed in wild

  • Microsoft has plugged 120 flaws, two of which are being exploited in attacks in the wild
  • Adobe has delivered security updates for Adobe Acrobat, Reader and Lightroom
  • Apple has released updates for iCloud on Windows
  • Google has updated Chrome with security fixes

Microsoft’s updates

Microsoft has released patched for 120 CVEs, 17 of which are critical and the rest important. One (CVE-2020-1464) is publicly known and being actively exploited, and another one (CVE-2020-1380) is also under attack.

CVE-2020-1464 allows an attacker to bypass security features intended to prevent improperly signed files from being loaded, and affects all supported versions of Windows, so patching it should definitely be a priority.

“CVE-2020-1464 is proof that security organizations should not be making their patching decisions solely off the CVSS score and severity rating and instead should be approaching all the security vulnerabilities as a gap in their attack surface, welcoming any malicious player into their network,”.

“Coming in only at a CVSS of 5.3, this spoofing vulnerability has been reported exploited in both legacy and newer versions of Windows and Windows Server, which is more worrisome as 25% of connected Windows devices are still running Windows 7.”

CVE-2020-1380 is a bug in Internet Explorer’s scripting engine and allow code execution on a system running a vulnerable version of the browser.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine,” Microsoft explained.

“The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.”

This flaw is also under active attack, so IE users should be protected against it as soon as possible

Trend Micro Zero Day Initiative’s Dustin Childs also singled out CVE-2020-1472, a NetLogon Elevation of Privilege Vulnerability, as very important to patch quickly.

“A vulnerability in the Netlogon Remote Protocol (MS-NRPC) could allow attackers to run their applications on a device on the network. An unauthenticated attacker would use MS-NRPC to connect to a Domain Controller (DC) to obtain administrative access,”

“[The patch released today] enables the DCs to protect devices, but a second patch currently slated for Q1 2021 enforces secure Remote Procedure Call (RPC) with Netlogon to fully address this bug. After applying this patch, you’ll still need to make changes to your DC.

“There are many non-Windows device implementations of the Netlogon Remote Protocol (also called MS-NRPC). To ensure that vendors of non-compliant implementations can provide customers with updates, a second release that is planned for Q1 2021 will enforce protection for all domain-joined devices,” Microsoft has added.

Other critical vulnerabilities have been fixed in the .NET Framework, Media Foundation, Microsoft Edge, the Windows Codecs Library, the MSHTML Engine, the Scripting Engine, Windows Media, and Outlook.

The provided Outlook updates should also be quickly implemented, as they fix two vulnerabilities – a RCE and information disclosure bug – that could be triggered from the Preview Pane.

As announced last week, Microsoft has also delivered today a fix for CVE-2020-1337, a privilege escalation vulnerability in the Windows Print Spooler service, which affects all the Windows releases from Windows 7 to Windows 10 (32 and 64-bit). The researchers who unearthed it have promised to publish a PoC exploit this week.

Keep updated your machines to escape from these exploits untill they go wild …

Microsoft comes with Double Encryption & Security

O365 Offering

Secure information sharing is always a challenge, and Microsoft thinks it has the right solution for organizations in highly regulated industries

“Double Key Encryption uses two keys to protect your data—one key in your control, and a second key is stored securely in Microsoft Azure. Viewing data protected with Double Key Encryption requires access to both keys. Since Microsoft can access only one of these keys, your protected data remains inaccessible to Microsoft, ensuring that you have full control over its privacy and security,”

“You can host the Double Key Encryption service used to request your key, in a location of your choice (on-premises key management server or in the cloud) and maintain it as you would any other application.”

This Microsoft enterprise security solution allows organizations to migrate sensitive data to the cloud or share it via a cloud platform without relying solely on the provider’s encryption. Also, it makes sure that the cloud provider or collaborating third parties can’t have access to the sensitive data.

Microsoft Endpoint Data Loss Prevention

“Data Loss Prevention solutions help prevent data leaks and provide context-based policy enforcement for data at rest, in use, and in motion on-premises and in the cloud,” Alym Rayani, Senior Director, Microsoft 365, noted.

“Built into Windows 10, Microsoft Edge, and the Office apps, Endpoint DLP provides data-centric protection for sensitive information without the need for an additional agent, enabling you to prevent risky or inappropriate sharing, transfer, or use of sensitive data in accordance with your organization’s policies.”

Organizations can use it to prevent copying sensitive content to USB drives, printing of sensitive documents, uploading a sensitive file to a cloud service, an unallowed app accessing a sensitive file, etc.

When users attempt to do a risky action, they are alerted to the dangers and provided with a helpful explanation and guidance.

Insider Risk Management and Communication Compliance

Insider Risk Management is not a new offering from Microsoft, but has been augmented by new features that deliver new, quality insights related to the obfuscation, exfiltration, or infiltration of sensitive information.

“For those using Microsoft Defender Advanced Threat Protection (MDATP), we can now provide insights into whether someone is trying to evade security controls by disabling multi-factor authentication or installing unwanted software, which may indicate potentially malicious behaviour,” .

Communication Compliance has also been introduced earlier this year, but now offers enhanced insights and improved actions to help foster a culture of inclusion and safety within the organisation.

Microsoft Adds a feature to O365 Mailbox handling “Mass Reply” storm

Microsoft rolled out this week a new feature to Office 365 customers to help their IT staff detect and stop “Reply-All email storms.”

The term refers to situations when employees use the Reply-All option in mass-mailed emails, such as company-wide notifications.

If the number of recipients in the email chain is large, and if multiple employees hit the Reply-All button, then the ensuing event generates massive amounts of traffic that usually slows down or crashes email servers.

Such events happen almost all the time, and, at one point or another, a company is going to have email servers go down because of employees participating and amplifying Reply-All storms as a prank.

Microsoft, too, has suffered two such incidents already, the first in January 2019, and a second in March 2020. The Microsoft Reply-All email storms included more than 52,000 employees, who ended up clogging the company’s internal communications for hours.

The feature started rolling out this week to all Office 365 users worldwide. In its current form, Microsoft says the “Reply All Storm Protection” feature will block all email threads with more than 5,000 recipients that have generated more than 10 Reply-All sequences within the last 60 minutes.

Once the feature gets triggered, Exchange Online will block all replies in the email thread for the next four hours, helping servers prioritize actual emails and shut down the Reply-All storm.

Microsoft said it would also continue working on the feature going forward, promising to add controls for Exchange admins so they can set their own storm detection limits.

Other planned features also include Reply-All storm reports and real-time notifications to alert administrators of an ongoing email storm so that they can keep an eye on the email server’s status for possible slowdowns or crashes.

And since Microsoft has had its run-ins with email storms recently, its own network proved the best testing ground for the feature.

“Humans still behave like humans no matter which company they work for,” the Exchange team said this week. “We’re already seeing the first version of the feature successfully reduce the impact of reply all storms within Microsoft.”

Windows 10 New Feature PUA/PUP .

The next major version of the Windows 10 operating system will include a new security option that will allow users to enable a Windows Defender secret feature that can detect and block the installation of known PUAs (potentially unwanted applications), Microsoft announced on Tuesday.

The term PUA, also known as PUP (potentially unwanted program), is one of the lesser-known terms in the cyber-security jargon.

It refers to software that has been installed on a computer by tricking the user — hence the term of “potentially unwanted.” This includes tactics like bundling an unwanted app with the installer of a legitimate program, or by using silent installs to bypassing user consent altogether.

The category of PUA usually includes apps that show intrusive ads, apps that track users and sell their data to advertisers, apps that change browser settings, install root certificates, or disable security controls.

Starting with the Windows 10 May 2020 update, which is set to roll out later this month, Microsoft said it added an option in the Windows 10 settings panel that can let users block the installation of known PUA threats.

This capability has been present in Defender/Windows for years, but it could only be enabled via group policies, and not via the Windows user interface. Going forward, this can be done by going to Start > Settings > Update & Security > Windows Security > App & browser control > Reputation-based protection settings.

The feature is turned off by default, so users will have to manually enable it once they update to Windows 10 May 2020 (v2004).

Once enabled, the feature has two settings. Microsoft recommends that users enable both.

Block downloads looks for PUA as it’s being downloaded, but note that it only works with the new Microsoft Edge browser.
Block apps will detect PUA that you’ve already downloaded or installed, so if you’re using a different browser Windows Security can still detect PUA after you’ve downloaded it.

In March 2020, Microsoft also added a similar feature to its Edge browser (the Chromium-based version), which can also detect and block PUA downloads as they happen.