This month Microsoft patches 2 zero-day vulnerabilities, one in Windows and another in Internet Explorer. Plus there’s the usual array of critical and important flaws that Microsoft addresses in its monthly cumulative update for Windows.
Windows and Windows Server
Let’s start this month with the 2 zero-day bugs that Microsoft has patched. The first, CVE-2020-1464, could let an attacker bypass security features in Windows by loading improperly signed files. An attacker could load the files because Windows incorrectly validates their signatures. The bug is rated important and it affects all supported versions of Windows 10, Windows 8.1, Windows 7, and Windows Server.
The second zero-day, CVE-2020-1380, is a remote code execution (RCE) flaw in Internet Explorer’s scripting engine. Antivirus company Kaspersky reported the bug to Microsoft, and it is rated critical. The vulnerability could be used to corrupt memory to let an attacker run arbitrary code in the context of the logged in user.
An attacker could exploit the vulnerability using a specially designed website, or by embedding an ActiveX Control marked ‘safe for initialization’ in an application or Microsoft Office document that uses IE’s rendering engine.
There are two other critical RCE bugs patched in Internet Explorer 11 this month. CVE-2020-1570 is another scripting engine bug in the way objects are handled in memory. It could let an attacker gain the same rights as the logged-in user. Another reminder that removing admin rights from end-users is an important part of a defense-in-depth security strategy.
The second critical RCE, CVE-2020-1567, is a flaw in the way the MSHTML engine validates input. An attacker could use it to run arbitrary code in the context of the logged in user. Legacy EdgeHTML also gets patches for 2 critical RCEs and one RCE rated important.
In total this month, Windows 10 gets patches for 9 critical bugs, all RCEs. There are patches for 58 important elevation of privileges (EoP) vulnerabilities, 8 RCEs, 9 information disclosure, and 1 spoofing flaw.
Microsoft Office
Microsoft 365 Apps for Enterprise, in other words the Click-to-Run Office desktop apps that come with Microsoft 365 subscriptions, get a patch for one critical RCE, CVE-2020-1483. A problem occurs where software doesn’t properly handle objects in memory. An attacker could use the vulnerability to run arbitrary code in the context of the logged-in user.
Additionally, Office gets patches for 6 RCE, 1 EoP, and 5 information disclosure flaws rated important.
Exchange, SQL, and SharePoint Server
SharePoint receives 12 patches, all rated important. 7 are information disclosure vulnerabilities and the remaining patches address spoofing bugs. There’s one patch for SQL Server Management Studio 18.6 that fixes a denial of service issue rated important.
Adobe software
There’s no security update for Flash Player this month but Adobe Acrobat and Reader get patches for critical and important vulnerabilities that could let an attacker run arbitrary code in the context of the logged in user.
That’s it for another month.