Security|Windows Client OS|Windows Server

Patch Tuesday August 2020

This month Microsoft patches 2 zero-day vulnerabilities, one in Windows and another in Internet Explorer. Plus there’s the usual array of critical and important flaws that Microsoft addresses in its monthly cumulative update for Windows.

Windows and Windows Server

Let’s start this month with the 2 zero-day bugs that Microsoft has patched. The first, CVE-2020-1464, could let an attacker bypass security features in Windows by loading improperly signed files. An attacker could load the files because Windows incorrectly validates their signatures. The bug is rated important and it affects all supported versions of Windows 10, Windows 8.1, Windows 7, and Windows Server.

The second zero-day, CVE-2020-1380, is a remote code execution (RCE) flaw in Internet Explorer’s scripting engine. Antivirus company Kaspersky reported the bug to Microsoft, and it is rated critical. The vulnerability could be used to corrupt memory to let an attacker run arbitrary code in the context of the logged in user.

An attacker could exploit the vulnerability using a specially designed website, or by embedding an ActiveX Control marked ‘safe for initialization’ in an application or Microsoft Office document that uses IE’s rendering engine.

Sponsored Content

What is “Inside Microsoft Teams”?

“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts. Our next episode, “Polaris Inc., and Microsoft Teams- Reinventing how we work and play” will be airing on Oct. 28th from 10-11am PST.

There are two other critical RCE bugs patched in Internet Explorer 11 this month. CVE-2020-1570 is another scripting engine bug in the way objects are handled in memory. It could let an attacker gain the same rights as the logged-in user. Another reminder that removing admin rights from end-users is an important part of a defense-in-depth security strategy.

The second critical RCE, CVE-2020-1567, is a flaw in the way the MSHTML engine validates input. An attacker could use it to run arbitrary code in the context of the logged in user. Legacy EdgeHTML also gets patches for 2 critical RCEs and one RCE rated important.

In total this month, Windows 10 gets patches for 9 critical bugs, all RCEs. There are patches for 58 important elevation of privileges (EoP) vulnerabilities, 8 RCEs, 9 information disclosure, and 1 spoofing flaw.

Microsoft Office

Microsoft 365 Apps for Enterprise, in other words the Click-to-Run Office desktop apps that come with Microsoft 365 subscriptions, get a patch for one critical RCE, CVE-2020-1483. A problem occurs where software doesn’t properly handle objects in memory. An attacker could use the vulnerability to run arbitrary code in the context of the logged-in user.

Additionally, Office gets patches for 6 RCE, 1 EoP, and 5 information disclosure flaws rated important.

Exchange, SQL, and SharePoint Server

SharePoint receives 12 patches, all rated important. 7 are information disclosure vulnerabilities and the remaining patches address spoofing bugs. There’s one patch for SQL Server Management Studio 18.6 that fixes a denial of service issue rated important.

Adobe software

There’s no security update for Flash Player this month but Adobe Acrobat and Reader get patches for critical and important vulnerabilities that could let an attacker run arbitrary code in the context of the logged in user.

That’s it for another month.

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (4)

4 responses to “Patch Tuesday August 2020”

  1. <p>You stated that there were 2 zero-days patched, but you didn't mention how they are currently being actively attacked – zero day means that the bad guys have been exploiting it <em>before</em> it was discovered by security researchers/Microsoft and a patch could be released</p>

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by: