August 2020 Patch Tuesday: Microsoft fixes two vulnerabilities under attack

On this August 2020 Patch Tuesday:

• Microsoft has plugged 120 flaws, two of which are being exploited in attacks in the wild
• Adobe has delivered security updates for Adobe Acrobat, Reader and Lightroom
• Apple has released updates for iCloud on Windows
• Google has updated Chrome with security fixes

Microsoft’s updates

Microsoft has released patched for 120 CVEs, 17 of which are critical and the rest important. One (CVE-2020-1464) is publicly known and being actively exploited, and another one (CVE-2020-1380) is also under attack.

CVE-2020-1464 allows an attacker to bypass security features intended to prevent improperly signed files from being loaded, and affects all supported versions of Windows, so patching it should definitely be a priority.

“CVE-2020-1464 is proof that security organizations should not be making their patching decisions solely off the CVSS score and severity rating and instead should be approaching all the security vulnerabilities as a gap in their attack surface, welcoming any malicious player into their network,” noted Richard Melick, Senior Technical Product Manager, Automox.

“Coming in only at a CVSS of 5.3, this spoofing vulnerability has been reported exploited in both legacy and newer versions of Windows and Windows Server, which is more worrisome as 25% of connected Windows devices are still running Windows 7.”

CVE-2020-1380 is a bug in Internet Explorer’s scripting engine and allow code execution on a system running a vulnerable version of the browser.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine,” Microsoft explained.

“The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.”

This flaw is also under active attack, so IE users should be protected against it as soon as possible

Trend Micro Zero Day Initiative’s Dustin Childs also singled out CVE-2020-1472, a NetLogon Elevation of Privilege Vulnerability, as very important to patch quickly.

“A vulnerability in the Netlogon Remote Protocol (MS-NRPC) could allow attackers to run their applications on a device on the network. An unauthenticated attacker would use MS-NRPC to connect to a Domain Controller (DC) to obtain administrative access,” he explained, but noted that fixing it entirely will be a problem.

“[The patch released today] enables the DCs to protect devices, but a second patch currently slated for Q1 2021 enforces secure Remote Procedure Call (RPC) with Netlogon to fully address this bug. After applying this patch, you’ll still need to make changes to your DC. Microsoft published guidelines to help administrators choose the correct settings.”

“There are many non-Windows device implementations of the Netlogon Remote Protocol (also called MS-NRPC). To ensure that vendors of non-compliant implementations can provide customers with updates, a second release that is planned for Q1 2021 will enforce protection for all domain-joined devices,” Microsoft has added.

Other critical vulnerabilities have been fixed in the .NET Framework, Media Foundation, Microsoft Edge, the Windows Codecs Library, the MSHTML Engine, the Scripting Engine, Windows Media, and Outlook.

The provided Outlook updates should also be quickly implemented, as they fix two vulnerabilities – a RCE and information disclosure bug – that could be triggered from the Preview Pane.

As announced last week, Microsoft has also delivered today a fix for CVE-2020-1337, a privilege escalation vulnerability in the Windows Print Spooler service, which affects all the Windows releases from Windows 7 to Windows 10 (32 and 64-bit). The researchers who unearthed it have promised to publish a PoC exploit this week.

Adobe’s updates

Adobe has released security updates for various versions of Adobe Acrobat and Reader for Windows and macOS, and Adobe Lightroom for Windows.

The former are more important, as they fix 11 critical vulnerability that could lead to code execution and allow attackers to bypass of a security feature, and 15 additional high-risk bugs.

Acrobat and Reader are also more widely used than Adobe Lightroom, which is a family of image organization and image manipulation software. The update for Lightroom fixes one privilege escalation flaw.

None of the fixed vulnerabilities are being actively exploited and there are no public exploits available, but the Zero Day Initiative announced it will tweet the proof-of-concept demonstration for CVE-2020-9697, a memory leak bug in Acrobat and Reader, tomorrow.

If you’re still using Adobe Flash, consider the fact that it reaches end-of-life at the end of the year and plan accordingly.

Apple’s updates

As predicted, Apple chose this Patch Tuesday to release security updates for iCloud for Windows 7.20 (for Windows 7 and later) and 11.3 (for Windows 10 and later).

The two updates deliver fixes for (mostly) the same vulnerabilities:

• A dozen of flaws in the Image I/O programming interface framework, all of which may allow attackers to achieve arbitrary code execution if the user opes a maliciously crafted image or PDF file
• A variety of flaws affecting the WebKit browser engine, the WebKit Web Inspector debugging tool and the WebKit Page Loading implementation. Some may be exploited to execute code, some to bypass Pointer Authentication or prevent Content Security Policy from being enforced, some to conceal the destination of a URL, and some to inject code.

Google’s updates

Google has not yet promoted Chrome 85 from the beta channel, but has released Chrome 84.0.4147.125 for Windows, Mac, and Linux.

No critical vulnerabilities have been fixed, but plenty of high- and medium-risk ones have.