Microsoft scheduled updates for this month are out. With Patch Tuesday August, Microsoft fixed over a hundred security vulnerabilities including two zero-day flaws.
Microsoft Fixed Two Zero-Day Bugs
The first zero-day receiving a fix with Microsoft August Patch Tuesday is CVE-2020-1464. This important severity vulnerability was not only publicly known but exploited as well.
Explaining about this bug, Microsoft’s advisory states,
A spoofing vulnerability exists when Windows incorrectly validates file signatures. An attacker who successfully exploited this vulnerability could bypass security features and load improperly signed files.
In an attack scenario, an attacker could bypass security features intended to prevent improperly signed files from being loaded.
Microsoft patched the flaw by rectifying how Windows validates file signatures.
The second zero-day flaw, CVE-2020-1380, was a critical memory corruption bug affecting the scripting engine. Exploiting this bug could lead to remote code execution by an adversary in the context of the current user.
While this vulnerability remained undisclosed, it still suffered active exploitation.
Other August Patch Tuesday Updates
Apart from the two zero-days, Microsoft also patched 16 other critical severity bugs. Among these, except for the vulnerability CVE-2020-1472, all other vulnerabilities could result in remote code execution.
Whereas, CVE-2020-1472 affecting the Netlogon Remote Protocol could allow an attacker to gain elevated privileges on the target system. Regarding this bug, Microsoft stated in the advisory,
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.
Microsoft is patching this bug in two phases. While it rolled out the first phase with August updates, the second is due for release in Q1 2021.
Besides, Microsoft also addressed 102 different important severity vulnerabilities affecting different products. Whereas, the update bundle includes no low severity bugs, just like the July updates.
Let us know your thoughts in the comments.