In its August 2020 Patch Tuesday, Microsoft released patches for 120 CVEs, 17 of which are considered to be critical, and two are actively exploited at the time of writing this article. This most recent set of patches brings the total of patches released by Microsoft so far in 2020 to 862, more than the software giant released during the entire 2019.
It’s likely that Microsoft has upped its patching game in response to the global move to remote working, which has resulted in millions of employees remotely connecting to a company’s internal networks and handling sensitive data on their personal devices without the protection provided by enterprise-grade security solutions.
Now it’s up to IT teams and individual users alike to install the newly available patches as soon as possible to make it impossible for cybercriminals to exploit the vulnerabilities, especially CVE-2020-1380 and CVE-2020-1464, both of which are under active attack.
This vulnerability in the way Internet Explorer’s scripting engine handles objects in memory makes it possible for an attacker to remotely execute arbitrary code in the context of the current user in order to gain the same user rights as the current user.
“If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system,” explains Microsoft. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
The most probable way of exploiting this vulnerability involves a malicious website, but it’s also possible to achieve the same result by using an embedded ActiveX control in a Microsoft Office document.
Microsoft Windows has multiple security features whose purpose is to prevent files that haven’t been signed properly from being loaded. This vulnerability allows attackers to bypass these features and improperly signed files as if they were completely legitimate.
According to Bernardo Quintero from VirusTotal, “an attacker can append a malicious JAR to a MSI file signed by a trusted software developer (like Microsoft Corporation, Google Inc. or any other well-known developer), and the resulting file can be renamed with the .jar extension and will have a valid signature according to Microsoft Windows.”
This spoofing vulnerability has been actively exploited by cybercriminals for the last two years, with the first attacks used in the wild going back to August 2018, and it will continue to be exploited until the newly released patch is installed on all vulnerable systems. What’s interesting is that CVE-2020-1464 is rated merely as Important despite its high severity.
Other Critical Vulnerabilities
Besides CVE-2020-1380 and CVE-2020-1464, Microsoft ranked 15 other vulnerabilities as critical. Dustin Childs of Trend Micro’s Zero-Day Initiative called attention to CVE-2020-1472, an elevation of privilege vulnerability in the Netlogon Remote Protocol (MS-NRPC), whose purpose is to verify logon requests, as well as register, authenticate, and locate Domain Controllers.
An attacker who would succeed in exploiting this vulnerability could run a specially crafted application on a device on the network. The recently released patch is just the first part of a two-part rollout. The second part will be released in Q1 2021 to enforce protection for all domain-joined devices, including non-compliant implementations of MS-NRPC.
Allan Liska, a senior security architect at Recorded Future, recommended IT teams to urgently patch CVE-2020-1046. This remote code execution vulnerability in Microsoft .NET Framework makes it possible for an attacker to take control of a system by uploading a specially crafted file to a web application, and it affects Microsoft .NET Framework versions 2.0 through 4.8.
The remaining vulnerabilities with Critical severity include CVE-2020-1525, CVE-2020-1379, CVE-2020-1477, CVE-2020-1492, CVE-2020-1554, CVE-2020-1568, CVE-2020-1483, CVE-2020-1560, CVE-2020-1574, CVE-2020-1585, CVE-2020-1567, CVE-2020-1555, CVE-2020-1570, and CVE-2020-1339.
Microsoft isn’t the only major tech company that released a large number of patches in August. Adobe, for example, has released multiple patches for Adobe Lightroom and several products in the Adobe Acrobat family. While the installation of security patches may be mildly annoying, it’s important to realize that timely patching is one of the most effective defenses against cyber attacks organizations and individual users alike have at their disposal. If you would like to learn more about how to protect your business using BCA’s cybersecurity solutions, feel free to contact us.