This Patch Tuesday follows the 2020 trend of 100+ vulnerabilities, but unlike last month, no major alarm bells to sound. August brings us fixes for 120 unique vulnerabilities, with 17 of them listed as “Critical,” with 97 listed as “Important.” Only a handful are listed as “Low” or “Moderate.” There are, however, a few listed as “Exploitation More Likely,” and one is listed as “Exploitation Detected.” This means it’s still important to deploy patches in a timely manner and make sure your other layers of security are up to date and functioning properly. As always, we’ll focus on the vulnerabilities listed as “Critical” and a few others that still need attention.
CVE-2020-1472 is a Netlogon Elevation of Privilege Vulnerability that could allow an attacker to gain Domain Administrator privileges if it were to send a specially crafted packet using the Netlogon Remote Protocol to a Domain Controller. It’s listed as “Exploitation Less Likely” by Microsoft.
According to Microsoft, this fix will require two stages: this month’s update and a follow-on update in Q1 of 2021 to enforce the changes being made to the secure channel connections. With this update, you’ll see new Event IDs for systems that use the vulnerable connections and can enable enforcement now with a registry change. There’s also a new Group Policy object that will allow you to make exceptions for non-compliant systems. Once the second phase is rolled out, the insecure connections will be refused, even for those systems you’ve configured an exclusion for. In short, it’s important to read the FAQ in the linked article and the accompanying documentation (supplied here) to fully understand the implications of these changes. That way, you can be prepared when the enforcement phase comes next year. This vulnerability affects all Server Operating systems from 2008R2 up to current version, including Core versions.
There are five vulnerabilities with the title Media Foundation Memory Corruption Vulnerability this month, with affected operating systems being slightly different.
CVE-2020-1477, CVE-2020-1379, and CVE 2020-1554 are Remote Code Execution vulnerabilities that could grant an attacker full control over the system if a user were tricked into opening a specially crafted document or visited a malicious webpage. They’re both rated as “Exploitation Less Likely” and affect Windows 7 up to the current version of Windows 10, including the corresponding Server versions.
CVE-2020-1492 has the same description as above but only affects Windows 8.1 through the current version of Windows 10 and Server 2012R2 and above, including Core installations.
CVE-2020-1525 only affects all versions of Windows 10 up to the current version, including Server versions.
CVE-2020-1560 and CVE-2020-1585 are both titled Microsoft Windows Codecs Library Remote Code Execution Vulnerability. They address how images are handled in memory. This fixes an issue where a user could be tricked into opening the image file and granting the attacker access to the system. They’re listed as “Exploitation Less Likely” and affect Windows 10 from version 1709 up to the current version, including the corresponding Server editions.
CVE-2020-1574 has the same description as above but only affects Windows 10 version 1909 and 2004.
Next up is CVE-2020-1339, a Windows Media Remote Code Execution Vulnerability in Windows 7 up to the current version of Windows 10 (including all Server versions). It’s a remote code execution vulnerability that would grant an attacker full rights to a system if the user were to open a document or visit a webpage.
CVE-2020-1046 is a .NET Framework Remote Code Execution Vulnerability that would require an attacker to upload a specially crafted file to a web application that used one of the affected versions of .Net Framework. The vulnerability affects .Net Framework 2.0 SP2, 3.5, 3.5.1, 4.7.2, and 4.8 on all supported operating systems.
There are a few that need some attention here, as there are “Exploitation More Likely” ratings and one “Exploitation Detected” in this month’s browser patches.
CVE-2020-1380 is a Scripting Engine Memory Corruption Vulnerability in Internet Explorer 11 on all supported operating systems. It’s a remote code execution vulnerability that can be triggered if a user visits a malicious website. Microsoft indicates there are active attacks against this vulnerability with the “Exploitation Detected” rating, so browsers should get special attention this month.
Another Scripting Engine Memory Corruption Vulnerability, CVE-2020-1570 , found in Internet Explorer 11 on all supported operating systems, and Internet Explorer 9 on Server 2008, is listed as “Exploitation More Likely.”
The final Scripting Engine Memory Corruption Vulnerability this month affects Edge. This one, CVE-2020-1555, is in the EdgeHTML version of the Edge browser, on all versions of Windows 10 that support it. It’s listed as “Exploitation Less Likely.”
Another “Exploitation More Likely” rating goes to CVE-2020-1567, a MSHTML Engine Remote Code Execution Vulnerability in IE11. This vulnerability requires the user to be tricked into editing a file and would grant the same privileges as the logged-on user.
The last “Critical” browser vulnerability is CVE-2020-1568, the Microsoft Edge PDF Remote Code Execution Vulnerability in the Edge-HTML version of Microsoft Edge. This vulnerability grants an attacker the same rights as the logged-on user if the user were to access a malicious PDF or a website that hosted it. It’s listed as “Exploitation Less Likely.”
The final “Critical” is a Microsoft Outlook Memory Corruption Vulnerability. CVE-2020-1483 is a remote code execution vulnerability that would grant the same rights as the user if they were to access a file or visit a website that hosts the file. Microsoft states in the article that this vulnerability is rated as “Critical” mainly because the Preview Pane in Outlook is an attack vector—meaning the user wouldn’t have to fully open the attached document to be vulnerable. This vulnerability affects Microsoft 365 Apps for Enterprise, Microsoft Office 2019, and Outlook 2010 through 2016.
During my reviews, I occasionally run across an “Important” vulnerability that is rated as “Exploitation More Likely” or “Exploit Detected.” I assume they’re not listed as “Critical” because they’re not remote code execution and require access to the vulnerable systems. However, sometimes one of these “Important” vulnerabilities can end up as part of a multi-stage attack.
It seems that may the case with CVE-2020-1464 , a Windows Spoofing Vulnerability that could allow an attacker to bypass security features in the operating system and load malicious files. This vulnerability is listed as “Exploitation Detected,” meaning it’s been seen in the wild. It affects Windows 7 up to the current version of Windows 10, including Server operating systems.
CVE-2020-1529 is a Windows GDI Elevation of Privilege Vulnerability that requires a user to log on to the system it would affect. It’s an “Elevation of Privilege” vulnerability that could be used as part of a multi-stage attack once an actor gains access to an affected system.
While there are no issues this month that warrant an emergency patch cycle, I recommend focusing on workstations first because of the browser vulnerabilities under active attack and also the spoofing vulnerability. Next, spend some time reading and reviewing the details for the Netlogon Elevation of Privilege Vulnerability at the beginning of this article so you’re ready to implement the changes with as few surprises as possible. Also, ensure your Office patches are up-to-date. Then focus on server patching at the next available patch window.
As I stated in the introduction, almost all the patches and vulnerabilities listed in this month are “Critical” or “Important,” and very few are listed as “Low” or “Moderate.” In the current threat landscape, it’s important to ensure all systems are patched and up-to-date on a regular schedule and that other layers of security in your environment are functioning and up-to-date.
As always, let’s stay safe out there!
Gill Langston is head security nerd for SolarWinds MSP. You can follow Gill on Twitter at @cybersec_nerd
Get the latest MSP tips, tricks, and ideas sent to your inbox each week.