Two exploited zero-days fixed in Patch Wednesday

Microsoft has fixed two exploited vulnerabilities in Windows that can be used by attackers to remotely execute code on victim's machines. 

The first one was reported by Russian security vendor Kaspersky, and affects the scripting engine in the Internet Explorer version 11 web browser for Windows.

Labelled CVE-2020-1380, Microsoft said the critical vulnerability could corrupt system memory in a way that allows attackers to run any code they like remotely.

"In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convice a user to view the website," Microsoft wrote in its advisory.

It is also possible to embed ActiveX controls in Office documents or applications, to exploit the IE 11 scripting engine vulnerability.

A second vulnerability, CVE-2020-1464, can be used by attackers to bypass the security features that prevent files with improper digital signatures from being loaded.

This is marked as important rather than critical, and affects all supported versions of Windows.

While Microsoft said it has detected active exploitation of both of the above vulnerabilties, it did not say when and where, or by whom.

Overall, 17 flaws fixed in today's Patch Wednesday set are rated as critical.

One is a privilege escalation bug that affects the Windows Print Spooler service, and is due to an earlier patch for the vulnerability being incomplete, research engineer Satnam Narang at security vendor Tenable said.

“The Windows Print Spooler service may sound familiar as it was weaponised by a separate vulnerability in the infamous Stuxnet worm a decade ago," Narang said.

CVE-2020-1337 is a patch bypass for CVE-2020-1048, another Windows Print Spooler vulnerability that was patched in May 2020.

Researchers found that the patch for CVE-2020-1048 was incomplete and presented their findings for CVE-2020-1337 at the Black Hat conference earlier this month,”  he added.

Apart from Windows and Office, Microsoft patched standalone programs and frameworks, including:

• Edge web browser, (both EdgeHTML and Chromium)
• ChakraCore Javascript renderer
• Internet Explorer
• Microsoft Scripting Engine
• SQL Server
• JET Database Engine
• .NET Framework
• ASP.NET Core
• Windows Codecs Library
• Dynamics

Today's Patch Wednesday handles a total of 120 security vulnerabilities.

Update, 13/8: Boris Larin, the Kaspersky security researcher that reported the CVE-2020-1380 vulnerability to Microsoft that was patched yesterday published more details on the bug today.

Larin said that the above exploit was chained together with a privilege escalation flaw in Windows, and used to attack a South Korean company by means of a malicious script for Internet Explorer.

Kaspersky dubbed the attack Operation PowerFall.

While Kaspersky has been unable to establish a definitely link with known threat actors, the security vendor says the attack has similarities with previously discovered exploits used by the DarkHotel group. 

DarkHotel has been active globally since 2007 and targets a wide range of industries, including electronics, investment capital, pharmaceuticals, defence technology and cars.

It has also attacked law enforcement, military and non-governmental organisations, Kaspersky said.