Microsoft patches two zero-days with active exploits

Microsoft has addressed a total of 120 new vulnerabilities in yet another mammoth Patch Tuesday update, including two critical zero-days that are already being taken advantage of in the wild, and 17 more critical bugs.

August 2020’s Patch Tuesday list highlights vulnerabilities in Microsoft Windows, Microsoft Edge (EdgeHTML-based), Microsoft Edge (Chromium-based), Microsoft ChakraCore, Internet Explorer, Microsoft Scripting Engine, SQL Server, Microsoft JET Database Engine, .NET Framework, ASP.NET Core, Microsoft Office and Microsoft Office Services and Web Apps, Microsoft Windows Codecs Library and Microsoft Dynamics.

The two zero-days that require immediate attention are CVE-2020-1464 and CVE-2020-1380. The first of these is a spoofing vulnerability that exists when Windows incorrectly validates file signatures, and successfully exploited it lets an attacker bypass security features to load improperly signed files.

The second is a remote code execution vulnerability that exists in how the scripting engine handles objects in memory in Internet Explorer, and successful exploitation would let an attacker execute arbitrary code with the same rights as the current user, making it particularly dangerous should the current user have admin rights.

Solarwinds MSP’s Gill Langston, head security nerd, said that while August’s Patch Tuesday continued the 2020 trend of 100+ vulnerability drops, unlike July there were no major alarm bells to sound.

“While there are no issues this month that warrant an emergency patch cycle, I recommend focusing on workstations first because of the browser vulnerabilities that are under active attack and more likely to be exploited, and the spoofing vulnerability,” he said.

“Next, spend some time reading and reviewing the details for the Netlogon Elevation of Privilege Vulnerability so that you are ready to implement the changes with as few surprises as possible. Also, ensure your Office patches are up to date. Then focus on server patching at the next available patch window.

“Almost all the patches and vulnerabilities listed in this month are critical or important and very few are listed as low or moderate. In the current threat landscape, it is important to ensure that all systems are patched and up to date on a regular schedule, and that other layers of security in your environment are functioning and up to date,” said Langston.

Qualys chief information security office (CISO) Ben Carr said that the sheer volume of exploits currently being found in Microsoft products highlighted how Windows-based systems continue to be a prime target for cyber criminals.

“Add to this that huge numbers of people are working remotely, which can make patching more difficult, and you’ve got an environment that is ripe for bad actors to stroll in and attack that low-hanging unpatched fruit. To prevent this, companies need to have a robust remote patching plan to address critical CVE’s as soon as possible, especially given the current reliance on remote work,” he said.

Ivanti senior product manager Todd Schell added: “Each month as we pull together Patch Tuesday analysis and communicate to our many followers, I get a stream of responses simply saying ‘Pause Patch Tuesday’. If only threat actors got the memo that there was a pandemic and they should take a break for a bit. Point of fact – they are as busy as ever.”