Microsoft's August Patch Rollout Targets 120 Flaws
The year 2020 continues with hefty security patch bundles arriving from Microsoft. The company's latest security update rollout on Tuesday delivered patches for 120 common vulnerabilities and exposures (CVEs).
Microsoft has already delivered more software fixes than it did last year, according to Dustin Childs of Trend Micro's Zero Day Initiative. It's now been "six straight months of 110+ CVEs [from Microsoft] and brings the yearly total to 862 -- 11 more patches than Microsoft shipped in all of 2019," Childs wrote in a Tuesday ZDI post.
As usual, there are patches for Windows and Microsoft's browsers (including the Chakra Core browser engine), plus Microsoft Office. Also in the mix are SQL Server, Microsoft Dynamics, NET Framework, ASP.NET Core and the Microsoft JET database engine, per Microsoft's "Release Notes."
These bulky Microsoft "update Tuesdays" could be a result of more remote work being done these days, according to Richard Melick, a senior technical product manager at Automox. He added that "these numbers also highlight the need for IT and SecOps teams to establish and follow patch policies that support all endpoints, especially remote, for the long term."
Of the 120 total CVEs, there are 17 vulnerabilities rated "Critical," while 103 are deemed "Important" in severity, per ZDI's count.
Microsoft's security patches likely will require system reboots, per this Microsoft document.
Vulnerabilities Under Attack
Two vulnerabilities getting patched this month are under active attack, with one of them also being described as "publicly known." Such factors could increase the risks of an attack.
Under attack is a mostly Critical-rated scripting engine vulnerability (CVE-2020-1380) in Internet Explorer browsers. A successful exploit of this flaw could enable remote code execution, with the aim of gaining user access rights. The exploit could get triggered by a user visiting a malicious Web site or by using an embedded ActiveX control in an application or a Microsoft Office document. Childs suggested applying this patch as "a top priority," citing its discovery by antimalware software maker Kaspersky.
CVE-2020-1380 applies to IE browsers on all Windows systems. However, organizations that limit user privileges "would mitigate what access an attacker would gain by exploiting this vulnerability," explained Todd Schell, a senior product manager for security at Ivanti, via e-mail.
Also under attack is an Important spoofing vulnerability (CVE-2020-1464) in most supported and unsupported Windows systems that could permit an attacker to "load improperly signed files." Attackers can "load any file and trick Windows that the file is legit and from a trusted source," Melick explained. This vulnerability also was publicly known before today's update Tuesday patch release, according to Childs.
Merely rating CVE-2020-1464 as Important could be a gross understatement, according to Schell:
Interestingly the vulnerability [of CVE-2020-1464] is only rated as Important and has a CVSSv3 base score of 5.3 even though it is being actively exploited. This is a great example of how prioritization can miss priority items. Those who deploy based on vendor severity Critical or CVSS scores of a certain level or higher should ensure they have other metrics to catch known exploited or publicly disclosed vulnerabilities.
In the painful department, there's a Critical elevation-of-privilege vulnerability (CVE-2020-1472) associated with Netlogon secure channel connections in Windows Server 2019 and Windows Server 2016. This vulnerability can enable an attacker "to connect to a domain controller to obtain domain administrator access," Microsoft's security bulletin explained.
CVE-2020-1472 is a problem because it is an available Windows process that could get exploited by attackers, explained Jay Goodman, a strategic product marketing manager at Automox:
The risk of having a process vulnerability like NetLogon is that it is not an application, but instead an always available process for attackers to exploit. The vulnerability itself is not likely to lead to a direct exploit. However, attackers can rely on its existence when crafting malware to target Windows Server devices, giving adversaries a reliable staging point to pivot from.
Microsoft's Aug. 11 patch for CVE-2020-1472 provides initial protection. However, a "domain controller enforcement mode" will get turned on early next year to enforce the use of a "secure Remote ProtoCol (RPC)" with Netlogon. Organizations will need to have a second patch installed to avoid an issue where devices get denied access. That second patch is expected to arrive in "Q1 2021" (February). IT pros need to follow these instructions, Microsoft emphasized.
The second patch coming after CVE-2020-1472 to activate secure RPC apparently is needed to address problems with non-Windows device connections, according to an e-mailed explanation by Richard Tsang, a senior software engineer at Rapid7:
By default, applying the applicable Windows Server patch will resolve the vulnerability for Windows devices without further action, but this implies that non-Windows devices could potentially trigger an exploit. It is by enforcing (something that will be done automatically sometime in Q1 2021 according to Microsoft) the use of the secure Remote Procedure Call (RPC) with Netlogon secure channel via the DC enforcement mode, would remediation actually be complete.
The Broad Attack Surface
Another view of this month's patch bundle comes from Jon Munshaw of Cisco Talos. A big target in terms of Critical-rated vulnerabilities is the Microsoft Media Foundation, a multimedia platform for developers that dates back to the old Windows Vista days.
Here's Munshaw's note, per a Cisco Talos security blog post:
Microsoft Media Foundation contains the largest number of these critical vulnerabilities. The bugs (CVE-2020-1379, CVE-2020-1477, CVE-2020-1492, CVE-2020-1525 and CVE-2020-1554) could all allow an adversary to corrupt memory in a way that would allow them to execute code remotely on the victim machine. Any of these vulnerabilities could be triggered if the target opens a specially crafted document or web page.
Important Office Vulnerability
Perhaps underrated is an Important information disclosure vulnerability (CVE-2020-1493) in Microsoft Office, Microsoft Outlook and the Microsoft 365 Apps for Enterprise productivity suite (formerly known as Office 365 ProPlus). The vulnerability apparently lets a third party get access to an e-mailed attachment.
"This vulnerability could potentially allow users to share attached files such that they are accessible by anonymous users where they should be restricted to specific users," Microsoft's security bulletin explained.
The exploit apparently can get triggered when one party views the attached file in Outlook's View Pane, which puts CVE-2020-1493 "on the threshold of being Critical," according to Melick.
Microsoft's security bulletin, though, argued that CVE-2020-1493 is rated Important because just information can get disclosed, and remote code execution can't be carried out.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.