Microsoft plugs 2 zero-days on August Patch Tuesday

Microsoft terminates two zero-days

One zero-day (CVE-2020-1464) fixed by the August Patch Tuesday releases is a Windows spoofing vulnerability rated important that would allow an attacker to sidestep the OS security features and load an improperly signed file. This bug affects all supported versions of Windows -- as well as Windows 7 and Windows 2008/2008 R2 for customers who paid for Extended Security Update (ESU) licenses for continued support of these systems that reached end of life in January. A bug that allows a malicious actor to bypass this security feature could open the door to put malicious files on a Windows system.  

"Typically, files get signed by a trusted vendor, and that signature validation is critically important to a lot of security mechanisms," said Chris Goettl, director of product management and security at Ivanti, a security and IT management vendor based in South Jordan, Utah. "The fact that an attacker can bypass that means that they can introduce improperly validated malicious files to the operating system, and technologies that should be able to validate based on signature might be able to be tricked because of this."

Chris Goettl

Microsoft's notes on this CVE lacked the usual details about potential attack scenarios, which seems to indicate an attacker would have some additional hurdles to take advantage of the flaw. This might be why a Windows zero-day also got a relatively low CVSS base score of 5.3.

"The attacker would need to execute an asset that is improperly signed, so it's not something they can just send to somebody. Microsoft doesn't really get into details about how some attacker might be able to take advantage of that," Goettl said.

The second zero-day (CVE-2020-1380) is remote code execution vulnerability in the Microsoft Scripting Engine used in Internet Explorer 11 rated critical in Windows desktop systems and moderate on Windows Server 2008 R2, Windows Server 2012 and 2012 R2. Because the Microsoft Scripting Engine is also used in Microsoft Office, which widens the attack vector for this vulnerability.

"The vulnerability could be exploited a couple of different ways: by setting up a specially crafted website via advertisements that may be compromised, or it could be loaded up using an application or an Office document that uses the IE rendering," Goettl said.

Windows Server hit by domain controller bug

Microsoft provided a lengthy description for handling CVE-2020-1472, a critical Netlogon elevation-of-privilege flaw affecting supported Windows Server OSes, including Windows Server 2008 and 2008 R2 for ESU customers. On an unpatched domain controller -- the Active Directory component tasked with managing security authentication requests -- an attacker could acquire domain administrator access without needing system credentials. 

Microsoft said it is using a "phased two-part rollout" to patch the bug with the first part of the deployment executed in the August Patch Tuesday security update.

"The updates will enable the [domain controllers] to protect Windows devices by default, log events for non-compliant device discovery, and have the option to enable protection for all domain-joined devices with explicit exceptions," according to the CVE instructions.

Microsoft plans the second phase on February Patch Tuesday in 2021, which it calls "the transition into the enforcement phase.

"The [domain controllers] will be placed in enforcement mode, which requires all Windows and non-Windows devices to use secure Remote Procedure Call (RPC) with Netlogon secure channel or to explicitly allow the account by adding an exception for any non-compliant device," the company wrote.

Goettl said administrators should begin testing the patch in a lab and testing it before the hard enforcement occurs, which requires all domain controllers -- even those in read-only mode -- to be updated. Microsoft provided further guidance in the support documentation at this link. 

Other notable corrections from August Patch Tuesday

• Microsoft Outlook has two CVEs this month. CVE-2020-1483 is a memory-corruption vulnerability rated critical that could let an attacker run arbitrary code in the context of the current user using several different attack vectors, including the preview pane. CVE-2020-1493 is an information-disclosure vulnerability rated important that could let an attacker view a restricted file from the preview pane by sending it as a file attachment.
• CVE-2020-1455 is a Microsoft SQL Server Management Studio denial-of-service vulnerability rated important that, if exploited, could let an attacker disrupt the use of the application.
• The .NET Framework has two CVEs. CVE-2020-1046 is a critical remote code execution vulnerability that an attacker could use to control the unpatched system using a specially crafted file. CVE-2020-1476 is an important elevation-of-privilege vulnerability in ASP.NET or .NET web applications running on IIS that could let an attacker access restricted files.
• Microsoft resolved an elevation-of-privilege vulnerability (CVE-2020-1337) rated important for supported Windows systems on both the client and server side. The patch resolved a lingering printer spooler issue that had been patched multiple times -- most recently in May -- but security researchers found a way to bypass the patch and gave a recent Black Hat USA presentation on the flaw, which has its origins in the Stuxnet worm from 2010. Despite public knowledge of the bug, Microsft's CVE did not report this as publicly disclosed.