Microsoft Patches 120 CVEs Including Two Zero Days

It was another big Patch Tuesday this month with over 100 CVEs fixed by Microsoft, including two being actively exploited in the wild.

Of the 120 vulnerabilities addressed this month, 17 were rated critical. Experts agreed that system administrators should focus on the two zero-day bugs.

“The first, CVE-2020-1464, is a spoofing vulnerability in Windows Operating System. The vulnerability exists in the way Windows validates file signatures,” explained Recorded Future senior security architect, Allan Liska.

“When this vulnerability is exploited, it allows an attacker to bypass security features to allow improperly signed files to be loaded. This vulnerability impacts Windows 7 through Windows 10 and Windows Server 2008 through 2019.”

The second priority is CVE-2020-1380, a remote code execution vulnerability in Microsoft’s Scripting Engine related to how objects in memory are handled by Internet Explorer.

Successful exploitation, via an infected web page or malicious doc with embedded ActiveX control, would enable an attacker to execute arbitrary code as the current user, according to Satnam Narang, staff research engineer at Tenable.

“If said user happens to have administrative privileges, the attacker would be able to perform a variety of actions including creating accounts with full privileges, accessing and deleting data and installing programs,” he warned.

“This vulnerability has reportedly been exploited in the wild as a zero-day, likely as part of a targeted attack.”

Elsewhere, CVE-2020-1554, CVE-2020-1492, CVE-2020-1379, CVE-2020-1477, and CVE-2020-1525 are all critical RCE vulnerabilities in the Windows Media Foundation (WMF), a framework that has now been hit by 10 critical bugs this year, according to Liska.

Adding to the workload for system admins, Adobe fixed 26 CVEs in Acrobat and Reader and Apple resolved 20 CVEs in iCloud yesterday.

What’s Hot on Infosecurity Magazine?