Systems running the Windows 10 Anniversary Update were shielded from two exploits even before Microsoft had issued patches for them, its researchers have found.
Microsoft has started rolling out today the August 2020 Patch Tuesday security updates.
This month, the company has patched 120 vulnerabilities across 13 different products, from Edge to Windows, and from SQL Server to the .NET Framework.
Among the 120 vulnerabilities fixed this month, 17 bugs have received the highest severity rating of “Critical,” and there are also two zero-days — vulnerabilities that have been exploited by hackers before Microsoft was able to provide today’s patches.
The first of the two zero-days patched this month is a bug in the Windows operating system. Tracked as CVE-2020-1464, Microsoft says that an attacker can exploit this bug and have Windows incorrectly validate file signatures.
The OS maker says attackers can (ab)use this bug to “bypass security features and load improperly signed files.”
As with all Microsoft security advisories, technical details about the bug and the real-world attacks have not been made public. Microsoft security team uses this approach to prevent other hackers from inferring how and where the vulnerability wors/resides, and prolong the time it takes for other exploits to appear in the wild.
As for the second zero-day, this one is tracked as CVE-2020-1380, and resides in the scripting engine that ships with Internet Explorer.
Microsoft said it received a report from antivirus maker Kaspersky that hackers had found a remote code execution (RCE) bug in the IE scripting engine and where abusing it in real-world attacks.
While the bug resides in the IE scripting engine, other native Microsoft apps are also impacted, such as the company’s Office suite.
This is because Office apps use the IE scripting engine to embed and render web pages inside Office documents, a feature where the scripting engine plays a major role.
This means the bug can be exploited by luring users on malicious sites, or by sending them booby-trapped Office files.
Below is some useful information about today’s Microsoft Patch Tuesday, but also the security updates released by other companies this month, which sysadmins might also need to address as well, besides Microsoft’s batch.
[ZDNet usually provides a list of all bugs patched each month, but today, the Microsoft API has been unresponsive. The list will be provided once the API is updated with this month’s updates.]