Two 0-Days Under Active Attack, Among 120 Bugs Patched by Microsoft

One of the two zero-day bugs is rated ‘critical’ and is classified as a remote code-execution bug impacting Microsoft’s Internet Explorer.

Two Microsoft vulnerabilities are under active attack, according the software giant’s August Patch Tuesday Security Updates. Patches for the flaws are available for the bugs, bringing this month’s total number of vulnerabilities to 120.

One of the flaws being exploited in the wild is (CVE-2020-1464), a Windows-spoofing bug tied to the validation of file signatures on Windows 10, 7 8.1 and versions of Windows Server. Rated “important,” the flaw allows an adversary to “bypass security features intended to prevent improperly signed files from being loaded,” Microsoft said.

A second zero-day is a remote code-execution (RCE) bug rated “critical,” which is tied to the Internet Explorer web browser. Tracked as CVE-2020-1380, this is a scripting engine memory-corruption problem. A successful hack gives the attacker same user rights as the current user, the company wrote.

“[The] vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer,” wrote Microsoft. “The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.”

Todd Schell, senior product manager, security, Ivanti, said a typical attack vector for CVE-2020-1380 is plant malware on a specially crafted website, compromised websites where user-provided content or advertisements are allowed, and through applications or Microsoft Office documents that host the IE rendering engine.

“Limiting the privileges of a user would mitigate what access an attacker would gain by exploiting this vulnerability,” Schell said. He added, the exploit appears to be affecting newer versions of the Windows operating systems.

Over One Dozen Critical Bugs

Of the 120 bugs, Microsoft ranked 17 as “critical” and 103 as “important” vulnerabilities.

Five of the critical bugs (CVE-2020-1554, CVE-2020-1492, CVE-2020-1379, CVE-2020-1477 and CVE-2020-1525) are tied to Microsoft’s Windows Media Foundation (WMF), a multimedia framework and infrastructure platform for handling digital media in Windows 7 through Windows 10 and Windows Server 2008 through 2019. August’s bugs bring the number of critical bugs to ten, points out Allan Liska, senior security architect at Recorded Future.

“These vulnerabilities exist in the way WMF handles objects in memory. Successful exploitation would allow an attacker to install malicious software, manipulate data or create new accounts,” Liska said.

The researcher also urged security teams to patch CVE-2020-1046, a .NET framework RCE bug that affects versions 2.0 through 4.8. “The vulnerability exists in the way .NET handles imports. An attacker could exploit this vulnerability and gain admin-level control of the vulnerable system. To exploit this vulnerability, an attacker needs to upload a specially crafted file to a web application,” wrote Liska in a Patch Tuesday research note.

Richard Tsang, senior software engineer at Rapid7, commented in his Patch Tuesday note that the most interesting bug patched this month is a Netlogon elevation of privilege bug (CVE-2020-1472), present in several versions of Windows Server. The patch is a multi-step affair.

Tsang wrote, “CVE-2020-1472 is an elevation-of-privilege vulnerability where a connection to a vulnerable domain controller using the Netlogon Remote Protocol (NRP) could obtain domain administrator access.”

The NRP is used for user and machine authentication on domain-based networks, and performs a wide range of functions tied to user-account database replication, backing up domain controllers and managing domain relationships, according to Microsoft.

“The uniqueness behind the patch of this vulnerability is that it gets completed in two phases, and forces the answer of, ‘am I remediated from CVE-2020-1472’ from a binary ‘yes/no,’ to an ‘it depends,'” Tsang wrote.

He added, “By default, applying the applicable Windows Server patch will resolve the vulnerability for Windows devices without further action, but this implies that non-Windows devices could potentially trigger an exploit. It is by enforcing (something that will be done automatically sometime in Q1 2021 according to Microsoft) the use of the secure Remote Procedure Call (RPC) with Netlogon secure channel via the DC enforcement mode, would remediation actually be complete,” he said.

Microsoft acknowledges the potential organizational impact of this and has provided additional guidance on this front.

Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts from Microsoft and Fortanix together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us  Wednesday Aug. 12 at 2pm ET for this FREE live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix – both with the Confidential Computing Consortium. Register Now.

Suggested articles