On this Tuesday, August 2020 patch:
Microsoft has released patches for 120 CEVs, 17 of which are critical and the rest important. One (CVE-2020-1464) is known to the public and actively exploited, and (CVE-2020-1380) is also under attack.
The CVE-2020-1464 allows an attacker to bypass security features designed to prevent the upload of poorly signed files and affects all supported versions of Windows. Therefore, updating it is a priority.
“CVE-2020-1464 is evidence that security organizations do not make their patch decisions solely based on CVSS score and severity score, but face all security vulnerabilities as a flaw in their attack surface, welcoming any malicious player to their network. said Richard Melick, senior technical director of products at Automox.
“When reaching a CVSS of 5.3, it has been reported that this identity theft vulnerability is exploited in legacy and newer versions of Windows and Windows Server, which is more worrying because 25% of connected Windows devices are still running Windows 7.”
CVE-2020-1380 is an error in the Internet Explorer script engine and code execution in a formula that runs a vulnerable browser edition.
“In an Internet attack scenario, an attacker can simply host a specially designed Internet site to exploit the vulnerability through Internet Explorer and then convince the user to stop at the website. An attacker can also integrate an ActiveX marked as “secure for boot” into a Microsoft Office application or document that hosts the IE rendering engine, Microsoft explained.
“The attacker can also take advantage of the merit of being engaged and settling for or hosting user-provided content or ads. This would possibly involve specially designed content that can also exploit the vulnerability.”
This failure is also under active attack, so IS users deserve to be as soon as possible.
Dustin Childs of trend Micro Zero Day Initiative is also known as CVE-2020-1472, a NetLogon elevation of privilege vulnerability, as well as to be temporarily corrected.
“A netlogon Remote Protocol (MS-NRPC) vulnerability can allow attackers to run their programs on a network device. An unauthenticated attacker would use MS-NRPC to connect to a domain controller (DC) to gain administrative access,” he said. said, but noticed that repairing it completely would be a problem.
“[The patch released today] allows domain controllers to protect devices, however, a momentary solution recently scheduled for the first quarter of 2021 applies a secure remote procedure call (RPC) with Netlogon to fully correct this error. After applying this solution, you still want to make adjustments to your DC. Microsoft has issued rules to help directors decide the appropriate configuration. »
“There are many non-Windows device deployments in the Netlogon Remote protocol (also called MS-NRPC). To enable unsupported deployment providers to provide updates to customers, a time-scheduled edition for the first quarter of 2021 will apply coverage to all gadgets in the domain,” Microsoft added.
Other critical vulnerabilities have been in arrayNET Framework, Media Foundation, Microsoft Edge, Windows Code Library, MSHTML engine, script engine, Windows Media, and Outlook.
The provided Outlook updates should also be rolled out temporarily, as they fix two vulnerabilities, an NCE error and data disclosure, which can be triggered from the display pane.
As announced last week, Microsoft also delivered a solution today for CVE-2020-1337, a privilege escalation vulnerability in the Windows Print Spooler service, which affects all versions of Windows 7 to Windows 10 (32-bit and 64-bit). Researchers who found out promised to launch a PoC exploit this week.
Adobe has released security updates for Adobe Acrobat and Reader versions for Windows and macOS, and Adobe Lightroom for Windows.
The former are more because they fix 11 critical vulnerabilities that can lead to code execution and allow attackers to bypass one security feature as well as another 15 high-risk errors.
Acrobat and Reader are also used more widely than Adobe Lightroom, which is a circle of relatives in the symbol manipulation and organization software. Lightroom update fixes a privilege escalation failure.
None of the constant vulnerabilities are actively exploited and no public exploits are available, however, Zero Day Initiative has announced that it will tweet the proof-of-concept demo for CVE-2020-9697, a reminiscences leak error in Acrobat and Reader.
If you are still using Adobe Flash, you are reaching the end of your life at the end of the year and plan accordingly.
Unsurprisingly, Apple chose this Tuesday patches for security updates for iCloud for Windows 7.20 (for Windows 7 and later) and 11.3 (for Windows 10 and later).
Both updates provide patches for (mostly) the same vulnerabilities:
Google has still promoted Chrome 85 from the beta channel, but has released Chrome 84.0.4147.125 for Windows, Mac and Linux.
No vulnerabilities have been fixed, but many medium and high risk vulnerabilities have been fixed.