Zero-Day Vulnerabilities in Microsoft (CVE-2020-1464, CVE-2020-1380)

For August 2020 Patch Tuesday, Microsoft has rolled out 120 security updates across 13 different products including Windows, Edge (EdgeHTML-based and Chromium-based), Office, Internet Explorer (IE), ChakraCore and Developer Tools such as .NET Framework, ASP.NET, and Visual Studio. Out of these vulnerabilities, 17 are classified as Critical and 103 are classified as Important. The 17 critical bugs can be exploited by attackers to gain complete  control over an affected system with little or no help from users.

According to Microsoft, two vulnerabilities (CVE-2020-1464, CVE-2020-1380) are under active attack.

CVE-2020-1464 – Windows Spoofing Vulnerability

The spoofing bug is publicly known and is being exploited in the wild. This vulnerability exists when Windows incorrectly validates file signatures. Attackers who successfully exploit this vulnerability, could bypass security features and load improperly signed files. In an attack scenario, attackers could bypass security features intended to prevent improperly signed files from being loaded.Technical details and the real-world attacks have not been made public as it would prevent attackers from inferring how and where the vulnerability resides and prolong the time it takes for other exploits to appear in the wild.

CVE-2020-1380 – Scripting Engine Memory Corruption Vulnerability

The RCE (Remote Code Execution) bug exists in the way that the scripting engine handles objects in memory in Internet Explorer. This bug corrupts memory in such a way that attackers can execute arbitrary code in the context of the current user. Successful exploitation of this bug can allow attackers to gain the same user rights as the current user. If the current user is logged in with administrative user rights, then attackers, who successfully exploited the vulnerability, could gain the control of an affected system. With administrative rights, attackers can install programs; view, change, or delete data; or create new accounts with full user rights.

According to Microsoft,

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability”

Remediation

Please check out the recently published Microsoft Advisories for applying patches.

Detection

Qualys customers can scan their network with QIDs 100409 (for CVE-2020-1380) and 91668 (CVE-2020-1464) to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage on latest vulnerabilities.

References

Leave a Reply

Your email address will not be published. Required fields are marked *