Patch Tuesday August 2020
This month Microsoft patches 2 zero-day vulnerabilities, one in Windows and another in Internet Explorer. Plus there’s the usual array of critical and important flaws that Microsoft addresses in its monthly cumulative update for Windows.
Windows and Windows Server
Let’s start this month with the 2 zero-day bugs that Microsoft has patched. The first, CVE-2020-1464, could let an attacker bypass security features in Windows by loading improperly signed files. An attacker could load the files because Windows incorrectly validates their signatures. The bug is rated important and it affects all supported versions of Windows 10, Windows 8.1, Windows 7, and Windows Server.
The second zero-day, CVE-2020-1380, is a remote code execution (RCE) flaw in Internet Explorer’s scripting engine. Antivirus company Kaspersky reported the bug to Microsoft, and it is rated critical. The vulnerability could be used to corrupt memory to let an attacker run arbitrary code in the context of the logged in user.
An attacker could exploit the vulnerability using a specially designed website, or by embedding an ActiveX Control marked ‘safe for initialization’ in an application or Microsoft Office document that uses IE’s rendering engine.
There are two other critical RCE bugs patched in Internet Explorer 11 this month. CVE-2020-1570 is another scripting engine bug in the way objects are handled in memory. It could let an attacker gain the same rights as the logged-in user. Another reminder that removing admin rights from end-users is an important part of a defense-in-depth security strategy.
The second critical RCE, CVE-2020-1567, is a flaw in the way the MSHTML engine validates input. An attacker could use it to run arbitrary code in the context of the logged in user. Legacy EdgeHTML also gets patches for 2 critical RCEs and one RCE rated important.
In total this month, Windows 10 gets patches for 9 critical bugs, all RCEs. There are patches for 58 important elevation of privileges (EoP) vulnerabilities, 8 RCEs, 9 information disclosure, and 1 spoofing flaw.
Microsoft 365 Apps for Enterprise, in other words the Click-to-Run Office desktop apps that come with Microsoft 365 subscriptions, get a patch for one critical RCE, CVE-2020-1483. A problem occurs where software doesn’t properly handle objects in memory. An attacker could use the vulnerability to run arbitrary code in the context of the logged-in user.
Additionally, Office gets patches for 6 RCE, 1 EoP, and 5 information disclosure flaws rated important.
Exchange, SQL, and SharePoint Server
SharePoint receives 12 patches, all rated important. 7 are information disclosure vulnerabilities and the remaining patches address spoofing bugs. There’s one patch for SQL Server Management Studio 18.6 that fixes a denial of service issue rated important.
There’s no security update for Flash Player this month but Adobe Acrobat and Reader get patches for critical and important vulnerabilities that could let an attacker run arbitrary code in the context of the logged in user.
That’s it for another month.
More in Windows Server
Microsoft to Fix Windows Bug Breaking Wi-Fi hotspots After Installing Latest Patch Tuesday Update
Jun 17, 2022 | Rabia Noureen
Microsoft Confirms Windows Server Backup Issues in This Month's Patch Tuesday Updates
Jun 16, 2022 | Rabia Noureen
Microsoft Acknowledges Office Zero-Day Flaw Affecting Windows Diagnostic Tool
May 31, 2022 | Rabia Noureen
Microsoft Releases Out-Of-Band Patches to Fix Windows AD Authentication Issues
May 20, 2022 | Rabia Noureen
CISA Warns Windows Admins Against Applying May Patch Tuesday Updates on Domain Controllers
May 17, 2022 | Rabia Noureen
Microsoft Confirms May 2022 Patch Tuesday Updates Cause AD Authentication Issues
May 12, 2022 | Rabia Noureen
Most popular on petri