Pictured: the Mountain View, California regional headquarters of Microsoft, which just patched 120 software program vulnerabilities for Patch Tuesday. (Smith Collection/Gado/Getty Images)
With its most recent often scheduled security update, Microsoft has fixed 120 software package vulnerabilities, like 17 critical flaws, one particular of which is a zero-working day bug that has been actively exploited in the wild.
Microsoft this calendar year has presently eclipsed the total number of patches it issued through all of 2019 — a tempo that industry experts at Pattern Micro’s Zero-Working day Initiative (ZDI) claims offers a patching management challenge for companies.
“This brings the total range of Microsoft patches released this calendar year to 862 – 11 more patches than Microsoft shipped in all of 2019,” mentioned ZDI in a blog article these days. “If they keep this speed, it is very doable for them to ship more than 1,300 patches this yr. This quantity – together with difficult servicing scenarios – places excess pressure on patch administration teams.”
The to start with zero-working day is CVE-2020-1380, a memory corruption vulnerability that can outcome in remote code execution when the scripting motor mishandles objects in memory in Internet Explorer. Attackers can exploit this bug to gain the similar person rights as the present user, which could direct to a units takeover allowing for for the installation of applications, the manipulation info or the creation of privileged accounts, if the user has administrative privileges.
“In a web-dependent assault scenario, an attacker could host a specifically crafted web site that is made to exploit the vulnerability by way of Internet Explorer and then influence a person to see the web site,” Microsoft points out in its security update. “An attacker could also embed an ActiveX manage marked ‘safe for initialization’ in an application or Microsoft Workplace document that hosts the IE rendering motor. The attacker could also get benefit of compromised internet websites and sites that accept or host person-provided content material or commercials. These internet websites could have specifically crafted material that could exploit the vulnerability.”
Kaspersky noted the flaw after investigating an attempted assault in opposition to a South Korean company — an assault the business characteristics with medium self esteem to suspected South Korean APT group DarkHotel. In accordance to Kaspersky, the remote code execution endeavor involved a two-phase exploit chain making use of equally CVE-2020-1380 and a privilege escalation in the Windows printer assistance that was patched final June.
“When in the wild attacks with zero-working day vulnerabilities come about, it is normally big information for the cybersecurity community,” said Boris Larin, the security expert at Kaspersky who is precisely credited for the bug obtain. “Successful detection of these types of a vulnerability quickly pressures vendors to issue a patch and forces consumers to set up all important updates.”
“What is particularly attention-grabbing in the uncovered assault is that the earlier exploits we uncovered were being mainly about elevation of privileges,” Larin continued. “However, this circumstance involves an exploit with remote code execution abilities, which is much more harmful. Coupled with the ability to influence the hottest Windows 10 builds, the learned attack is really a exceptional point presently. It reminds us at the time again to invest into prominent danger intelligence and established protective technologies to be capable to proactively detect the most up-to-date zero-working day threats.”
“It is not known how considerable the assaults are, but considering this bug was documented by Kaspersky, it is reasonable to assume malware is included. If you’re continue to applying IE, make this 1 your prime precedence,” explained ZDI.
Microsoft patched a 2nd actively exploited zero-working day bug, CVE-2020-1464, which was categorised as vital, not critical. The flaw is a Windows spoofing vulnerability, caused by the incorrect validation of file signatures, that could empower a malicious actor to “bypass security features and load improperly signed information,” Microsoft warns in its advisory.
In addition to CVE-2020-1380, the remaining 16 critical vulnerabilities consist of two more bugs in the scripting motor, 1 in the .Net Framework, 5 in Media Basis, a single in Edge, a single Outlook, three in the Window Codecs Library, 1 in the MSHTML Engine, just one in NetLogon, and a person in Windows Media. All but one particular are remote code execution flaws, even though the remainder is an elevation of privileges.