Microsoft has released fixes for 120 vulnerabilities, two zero-day exploits, in its latest Patch Tuesday security update for Windows 10.
SEE: Zero Trust Security: A Cheat Sheet (Free PDF) (Free PDF) (TechRepublic)
Among the main vulnerabilities to fix is the error designated CVE-2020-1464, an identity theft vulnerability through which an attacker can simply pass the security functions of Windows 10 and upload badly signed files on a user’s machine. This vulnerability has been publicly revealed and detected in real-world attacks, no additional important points have been provided through Microsoft.
The time the zero-day exploit was fixed through Microsoft is CVE-2020-1380, a remote code execution vulnerability in the Internet Explorer script engine. This vulnerability was reported to Microsoft via antivirus software vendor Kaspersky and allows attackers to execute malicious code in Internet Explorer through which an unauthorized user can take other parts of the victim’s system.
According to Microsoft, an attacker who effectively exploits the vulnerability can obtain the same user rights as the legal user: if the existing user is connected with administrator rights, for example, the attacker can simply take the formula and install programs; View, edit, or delete knowledge or create new accounts at will.
Kaspersky explained that the feat was harmful regardless of whether or not Internet Explorer was used as the main Internet browser on a PC: some Microsoft applications, such as Office, use Internet Explorer to watch videos and render Internet pages in documents through the ActiveX extension. An attacker can therefore exploit the code in ActiveX and publish it through a document or lure users to a malicious site.
SEE: Windows 10 Start Menu Tricks (TechRepublic Premium)
Another notable vulnerability resolved in the August security update is CVE-2020-147. This exploit allowed an attacker to use the Netlogon Remote Protocol (MS-NRPC) to connect to a domain controller and gain domain administrator access. Microsoft fixes this vulnerability in a two-part update, starting with a replacement in the way Netlogon handles the use of secure channels.
Additional patches deployed through Microsoft canopy, its Edge browser, Office, SQL Server Management Studio, ArrayNet Framework, as well as other parts and progression tools. Adobe has also introduced 26 vulnerability patches in its Acrobat and Reader applications.
All the latest Patch Tuesday patches will be obtained through Windows Update. ZDNet has released an exhaustive list of all included, as well as a list of security updates released through other corporations this week.
Owen Hughes is a London-based journalist for ZDNet and TechRepublic.