Microsoft has released an out-of-band security update addressing two high-severity elevation-of-privilege (EoP) bugs. Both flaws exist in a service called Windows Remote Access, which provides remote-access capabilities to client applications on computers running Windows.
Of note, both flaws were originally disclosed Aug. 11, during Microsoft’s regularly scheduled Patch Tuesday updates, where the tech giant patched 120 vulnerabilities overall. During those updates, fixes for the two flaws were issued for Windows 10, Windows 7, Windows Server 2008, 2012, 2016, and 2019; as well as Windows Server (versions 1903, 1909 and 2004). Wednesday’s unscheduled updates fix the vulnerabilities in Windows 8.1 and Windows Server 2012.
“Microsoft is announcing the availability of security update 4578013 for all supported versions of Microsoft 8.1 and Windows Server 2012 R2,” according to Microsoft’s Wednesday advisory. “Customers running Windows 8.1 or Server 2012 R2 should install the update for their product to be protected from this vulnerability. Customers running other versions of Microsoft Windows or Windows Server do not need to take any action.”
The first vulnerability (CVE-2020-1530) stems from Windows Remote Access improperly handling memory. To exploit this vulnerability, an attacker would first need the ability to execute code on a target’s system. An attacker could then run a specially crafted application to elevate privileges.
The flaw has a CVSS score of 7.8 out of 10, making it “important” in severity. However, it has not been observed in the wild being exploited, and Microsoft said that exploitation of the bug is “less likely” due to attackers needing to first be able to execute code to launch the attack. Symeon Paraschoudis of Pen Test Partners was credited with discovering the flaw.
“The security update addresses the vulnerability by correcting how Windows Remote Access handles memory,” according to Microsoft.
The second EoP flaw (CVE-2020-1537), reported anonymously, stems from the Windows Remote Access service improperly handling file operations.
“To exploit the vulnerability, an attacker would first need code execution on a victim system,” according to Microsoft. “An attacker could then run a specially crafted application.”
An attacker who successfully exploited this flaw could gain elevated privileges.The security update addresses the vulnerability by ensuring the Windows Remote Access properly handles file operations. This flaw also had a CVSS score of 7.8 out of 10 making it “important” severity, but has not been exploited.
The fixes come a week after Microsoft issued patches for two flaws under active attack as part of its Patch Tuesday updates: One of the flaws (CVE-2020-1464), a Windows-spoofing bug tied to the validation of file signatures, allows an adversary to “bypass security features intended to prevent improperly signed files from being loaded.” The second (CVE-2020-1380), a remote code-execution bug, is tied to the Internet Explorer web browser. A successful hack gives the attacker same user rights as the current user, the company wrote.
It’s the age of remote working, and businesses are facing new and bigger cyber-risks – whether it’s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary Threatpost eBook, 2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint. We redefine “secure” in a work-from-home world and offer compelling real-world best practices. Click here to download our eBook now.