Microsoft has released August Patch Tuesday security updates, addressing a total number of 120 vulnerabilities, including two Zero-days in the family of Windows operating systems and related products. Out of these, 17 are classified as Critical and 103 as Important which includes Microsoft Windows, Edge EdgeHTML-based, Chromium-based, ChakraCore, Internet Explorer, Microsoft Office, and Microsoft Office Services and Web Apps, Microsoft Windows Codecs Library, .NET Framework, and Microsoft Dynamics.
All the critical bugs are Remote Code Execution (RCE) and Elevation Of Privilege (EoP) that reside in Internet Explorer, Windows, ChakraCore, .NET Framework, and Microsoft Office, to name a few.
Zero-day and Under Active Exploit Vulnerabilities:
- A remote code execution (RCE) vulnerability exists in the manner that the scripting engine handles objects in memory in Internet Explorer.
- To exploit the vulnerability, an attacker could host a specially created site intended to exploit the vulnerability through Internet Explorer and then persuade a user to view the website. An attacker could also embed an ActiveX control checked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine.
- Similarly, an attacker could leverage compromised websites and sites that accept or host user-provided content or advertisements which could contain maliciously crafted data that could exploit the vulnerability.
- Successful exploitation of the vulnerability could corrupt memory and let the attacker execute arbitrary code with regards to the current user. On the off chance that the current user is signed in with administrative user rights, an attacker who successfully abused the vulnerability could take control of an affected system. An attacker could then install new programs, view and modify the information, or create new accounts with admin rights.
- A Windows spoofing vulnerability exists when Windows incorrectly validates file signatures on all supported versions of Windows. As an impact, it is known to affect confidentiality, integrity, and availability.
- To exploit the vulnerability, a remote attacker could create a maliciously crafted file to bypass implemented security restrictions and successfully load a malicious file.
- Successful exploitation of the vulnerability could allow an attacker to bypass security features and load improperly signed files.
- A critical elevation of privilege (EoP) vulnerability exists due to the application not properly imposing security restrictions in Netlogon. An attacker could establish a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC).
- To exploit the vulnerability, an unauthenticated attacker could use MS-NRPC to connect to a domain controller as a domain administrator. A domain controller is a server that responds to security authentication requests in a Windows environment, and a compromised domain controller can give attackers the keys to the kingdom of a corporate network.
- Successful exploitation of the vulnerability could allow an attacker to run a maliciously crafted application on a device in the network.
NOTE: Microsoft adds an important note to their advisory that this patch is only the first of two patches to fix this vulnerability, and the second patch is slated to be released on or after February 9, 2021.
- An elevation of privilege (EoP) vulnerability exists due to the Windows Print Spooler service improperly allowing arbitrary writing to the file system.
- The primary component of the printing interface is the print spooler. The print spooler is an executable file that manages the printing process. The spooler is loaded at system startup and continues to run until the operating system is shut down. An attacker can use a specially crafted application to execute arbitrary code on the target system with elevated privileges.
- Successful exploitation of the vulnerability could allow an attacker to run arbitrary code with elevated system privileges. An attacker could then install programs, view and modify data, or create new accounts with admin rights.
This fix is a patch bypass for CVE-2020-1048, a separate Windows Print Spooler bug discovered by Peleg Hadar and Tomer Bar from SafeBreach Labs which was released in May 2020. The same researchers discovered this local privilege escalation flaw that could still be exploited. Researchers shared more information at last week’s Black Hat USA 2020 conference.
- A remote code execution (RCE) vulnerability exists in Microsoft Outlook when Outlook improperly handles objects in memory. The vulnerability exists due to a boundary error while processing files in an email.
- To exploit the vulnerability, a remote attacker could create a malicious file and persuade the victim into opening it, trigger memory corruption, and execute arbitrary code on the target system.
- Successful exploitation of the vulnerability could let an attacker run arbitrary code in the context of the current user. An attacker could then install programs, view and modify data, or create new accounts with admin rights. Users with fewer user rights on the system could be less impacted than users with administrative user rights.
- If the current user is logged in with administrative user rights then an attacker gains admin rights and takes full control of the affected system.
Along with Microsoft, Adobe has released security updates addressing ‘11′ critical and ‘15′ Important vulnerabilities for Adobe Acrobat, Reader, and Lightroom, which might lead to bypassing security features or performing remote code execution.
Microsoft Security Bulletin Summary for August 2020:
- Internet Explorer
- Microsoft Windows
- Microsoft Office and Microsoft Office Services and Web Apps
- Microsoft Edge (EdgeHTML-based)
- Microsoft ChakraCore
- ASP.NET Core
- Microsoft Dynamics
Product: Internet Explorer
Impact: Remote Code Execution
CVEs/Advisories: CVE-2020-1380, CVE-2020-1567, CVE-2020-1570
KBs: 4565349, 4565351, 4566782, 4571687, 4571692, 4571694, 4571703, 4571709, 4571729, 4571730, 4571736, 4571741
Product: Microsoft Windows
Impact: Denial of Service, Elevation of Privilege, Information Disclosure, Remote Code Execution, Spoofing
CVEs/Advisories: CVE-2020-1337, CVE-2020-1339, CVE-2020-1377 – CVE-2020-1379, CVE-2020-1383, CVE-2020-1417, CVE-2020-1459, CVE-2020-1464, CVE-2020-1466, CVE-2020-1467, CVE-2020-1470, CVE-2020-1472 – CVE-2020-1475, CVE-2020-1477 – CVE-2020-1480, CVE-2020-1484 – CVE-2020-1490, CVE-2020-1492, CVE-2020-1509 – CVE-2020-1513, CVE-2020-1515 – CVE-2020-1522, CVE-2020-1524 – CVE-2020-1531, CVE-2020-1533 – CVE-2020-1554, CVE-2020-1556 – CVE-2020-1558, CVE-2020-1560 – CVE-2020-1562, CVE-2020-1564 – CVE-2020-1566, CVE-2020-1571, CVE-2020-1574, CVE-2020-1577, CVE-2020-1578, CVE-2020-1579, CVE-2020-1584, CVE-2020-1585, CVE-2020-1587
KBs: 4565349, 4565351, 4566782, 4571692, 4571694, 4571702, 4571703, 4571709, 4571723, 4571736, 4571741
Product: Microsoft Office and Microsoft Office Services and Web Apps
Impact: Elevation of Privilege, Information Disclosure, Remote Code Execution
CVEs/Advisories: CVE-2020-1483, CVE-2020-1493 – CVE-2020-1498, CVE-2020-1502, CVE-2020-1503, CVE-2020-1563, CVE-2020-1581 – CVE-2020-1583
KBs: 4484346, 4484354, 4484359, 4484375, 4484379, 4484431, 4484470, 4484481, 4484492, 4484495
Product: Microsoft Edge (EdgeHTML-based)
Impact: Remote Code Execution
CVEs/Advisories: CVE-2020-1555, CVE-2020-1568, CVE-2020-1569
KBs: 4565349, 4565351, 4566782, 4571692, 4571694, 4571709, 4571741
Product: Microsoft ChakraCore
Impact: Remote Code Execution
Product: ASP.NET Core
Impact: Denial of Service