Set of patches includes an unusual “critical” rated elevation of privilege bug
Microsoft has patched 120 CVEs for August, including 17 labelled critical and two under active attack in the wild. The release brings its patches to 862 so far this year — more than full-year 2019.
The patches plug vulnerabilities in Windows, Microsoft Scripting Engine, SQL Server, .NET Framework, ASP.NET Core, Office and Office Services and Web Apps, Microsoft Dynamics and more.
Under active attack:
CVE-2020-1464 – Windows Spoofing Vulnerability
This spoofing bug allows an attacker to load improperly signed files, bypassing signature verification.
With a new Windows file signature spoofing vuln (CVE-2020-1464) being actively exploited in the wild – review the detection rules you have in place that alert when (what purport to be) Windows system files behave abnormally. Few examples below using @cortexbypanw & @sansforensics https://t.co/2PwaXnZQLO
— Jamie Brummell (@jamiebrummell) August 12, 2020
Microsoft does not list where this is public or how many people are affected by the attacks, but all supported versions of Windows are affected, so test and deploy this one quickly.
CVE-2020-1380 – Scripting Engine Memory Corruption Vulnerability
This bug in IE lets attacker run their code on a target system if an affected version of IE views a specially crafted website.
— Maddie Stone (@maddiestone) August 11, 2020
The bug was reported by Kaspersky, it’s reasonable to assume malware is involved.
CVE-2020-1472 – NetLogon Elevation of Privilege Vulnerability
An unusual elevation of privilege bug that’s rated critical, this vulnerability is in the Netlogon Remote Protocol (MS-NRPC). An unauthenticated attacker would use MS-NRPC to connect to a Domain Controller (DC) to obtain administrative access. Worryingly, there is not a full fix available. As the ZDI notes: “This patch enables the DCs to protect devices, but a second patch currently slated for Q1 2021 enforces secure Remote Procedure Call (RPC) with Netlogon to fully address this bug.”
Here's a digest of my understanding of #CVE-2020-1472 for the Microsoft Netlogon secure channel vulnerability and what you need to do to protect yourself. Thread. ⬇️
— Ryan Newington [MVP] 🇦🇺 (@RyanLNewington) August 12, 2020
After applying this patch, you’ll still need to make changes to your DC. Microsoft published guidelines to help administrators choose the correct settings.
As Onebite notes, Microsoft also released patches for 6 memory corruption vulnerabilities in Media Foundation (CVE-2020-1525, CVE-2020-1379, CVE-2020-1477, CVE-2020-1478, CVE-2020-1492, CVE-2020-1554).
An attacker persuading a user to open a malicious file would get the same rights as that user. All Media Foundation installations should be prioritised for patching.
More to follow.