August Patch Tuesday 2020
August is here already! I know! It is all a blur. Each month as we pull together Patch Tuesday analysis and communicate to our many followers, I get a stream of responses simply saying “Pause Patch Tuesday.” If only threat actors got the memo that there was a pandemic and they should take a break for a bit… Point of fact – they are busy as ever. This month Microsoft has responded by plugging 120 distinct vulnerabilities across Microsoft Windows, Edge, Internet Explorer, Office, SQL Server Management Studio, .Net Framework, and a variety of additional Microsoft components and development tools. Adobe and Apple have thrown a few more security updates into the mix. Adobe has resolved 26 CVES in Acrobat and Reader and Apple resolved 20 CVEs in iCloud yesterday.
Microsoft’s release includes 17 Critical CVEs of the 120 total CVEs resolved. There are two Zero Day vulnerabilities and one Publicly Disclosed vulnerability in this release. The vulnerabilities impact all of the Windows Operating System versions all the way back to Windows 7 and Server 2008 and Internet Explorer across all OSs. The Public Disclosure also happens to be one of the two Zero Days. This release also includes the resolution of Windows Print Spooler Elevation of Privilege vulnerability (CVE-2020-1337) that made recent headlines.
Microsoft resolved a Critical vulnerability (CVE-2020-1380) in Microsoft Scripting Engine which could allow an attacker to arbitrarily execute code in the context of the current user. This vulnerability impacts Internet Explorer across all Windows editions including Windows 7 and Server 2008. This vulnerability can be used to target a user through a specially crafted website, compromised websites where user-provided content or advertisements are allowed, and through applications or Microsoft Office documents that host the IE rendering engine. Limiting the privileges of a user would mitigate what access an attacker would gain by exploiting this vulnerability. The exploit appears to be affecting the newer operating system versions.
Microsoft resolved an Important vulnerability (CVE-2020-1464) in Microsoft Windows that could allow bypass of security features and load improperly signed files. This vulnerability has been publicly disclosed and has been detected in attacks in the wild. Interestingly the vulnerability is only rated as Important and has a CVSSv3 base score of 5.3 even though it is being actively exploited. This is a great example of how prioritization can miss priority items. Those who deploy based on vendor severity Critical or CVSS scores of a certain level or higher should ensure they have other metrics to catch known exploited or publicly disclosed vulnerabilities.
Another vulnerability of note that was resolved this month is in Netlogon (CVE-2020-1472). This is a two part update. The second part is going to be coming in February 2021, but Microsoft is indicating you should be prepping for that event starting with this maintenance window. The vulnerability would allow an unauthenticated attacker to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Microsoft is introducing a change to Netlogon secure channel to resolve the vulnerability, but the change could impact your environment. Starting with this release they have outlined event IDs you should be looking for and acting on as these will be affected by the February change. For more details see this Microsoft article.