iTnews
  • Home
  • News
  • Technology
  • Security

Two exploited zero-days fixed in Patch Wednesday

By Juha Saarinen on Aug 12, 2020 12:42PM
Two exploited zero-days fixed in Patch Wednesday

120 bugs squashed in total.

Microsoft has fixed two exploited vulnerabilities in Windows that can be used by attackers to remotely execute code on victim's machines. 

The first one was reported by Russian security vendor Kaspersky, and affects the scripting engine in the Internet Explorer version 11 web browser for Windows.

Labelled CVE-2020-1380, Microsoft said the critical vulnerability could corrupt system memory in a way that allows attackers to run any code they like remotely.

"In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convice a user to view the website," Microsoft wrote in its advisory.

It is also possible to embed ActiveX controls in Office documents or applications, to exploit the IE 11 scripting engine vulnerability.

A second vulnerability, CVE-2020-1464, can be used by attackers to bypass the security features that prevent files with improper digital signatures from being loaded.

This is marked as important rather than critical, and affects all supported versions of Windows.

While Microsoft said it has detected active exploitation of both of the above vulnerabilties, it did not say when and where, or by whom.

Overall, 17 flaws fixed in today's Patch Wednesday set are rated as critical.

One is a privilege escalation bug that affects the Windows Print Spooler service, and is due to an earlier patch for the vulnerability being incomplete, research engineer Satnam Narang at security vendor Tenable said.

“The Windows Print Spooler service may sound familiar as it was weaponised by a separate vulnerability in the infamous Stuxnet worm a decade ago," Narang said.

CVE-2020-1337 is a patch bypass for CVE-2020-1048, another Windows Print Spooler vulnerability that was patched in May 2020.

Researchers found that the patch for CVE-2020-1048 was incomplete and presented their findings for CVE-2020-1337 at the Black Hat conference earlier this month,”  he added.

Apart from Windows and Office, Microsoft patched standalone programs and frameworks, including:

  • Edge web browser, (both EdgeHTML and Chromium)
  • ChakraCore Javascript renderer
  • Internet Explorer
  • Microsoft Scripting Engine
  • SQL Server
  • JET Database Engine
  • .NET Framework
  • ASP.NET Core
  • Windows Codecs Library
  • Dynamics

Today's Patch Wednesday handles a total of 120 security vulnerabilities.

Update, 13/8: Boris Larin, the Kaspersky security researcher that reported the CVE-2020-1380 vulnerability to Microsoft that was patched yesterday published more details on the bug today.

Larin said that the above exploit was chained together with a privilege escalation flaw in Windows, and used to attack a South Korean company by means of a malicious script for Internet Explorer.

Kaspersky dubbed the attack Operation PowerFall.

While Kaspersky has been unable to establish a definitely link with known threat actors, the security vendor says the attack has similarities with previously discovered exploits used by the DarkHotel group. 

DarkHotel has been active globally since 2007 and targets a wide range of industries, including electronics, investment capital, pharmaceuticals, defence technology and cars.

It has also attacked law enforcement, military and non-governmental organisations, Kaspersky said.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
microsoftsecuritywindows

Partner Content

Why rethinking your CMS is crucial for customer retention
Promoted Content Why rethinking your CMS is crucial for customer retention
Avoiding CAPEX by making on-premise IT more cloud-like
Promoted Content Avoiding CAPEX by making on-premise IT more cloud-like
Accenture and Google Cloud team up to create a loveable, Australian-first, renewable energy product
Promoted Content Accenture and Google Cloud team up to create a loveable, Australian-first, renewable energy product
Why Genworth Australia embraced low-code software development
Promoted Content Why Genworth Australia embraced low-code software development

Sponsored Whitepapers

Extracting the value of data using Unified Observability
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership

Events

  • Micro Focus Information Management & Governance (IM&G) Forum 2022
  • CRN Channel Meets: CyberSecurity Live Event
  • IoT Insights: Secure By Design for manufacturing
  • Cyber Security for Government Summit
  • Forrester Technology & Innovation Asia Pacific 2022
By Juha Saarinen
Aug 12 2020
12:42PM
0 Comments

Related Articles

  • Poor patching creates easy zero-day vulnerability reuse
  • Don't remove PowerShell: US, UK and NZ security agencies
  • Microsoft won't fix 'Dogwalk' zero-day from 2020
  • Researchers patch Microsoft's 'Petitpotam' vulnerability patch
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Qantas calls time on IBM, Fujitsu in tech modernisation

Qantas calls time on IBM, Fujitsu in tech modernisation

PayTo rollout kicks off

PayTo rollout kicks off

Researchers hacked Oracle servers to demo serious vulnerability

Researchers hacked Oracle servers to demo serious vulnerability

Neobank Volt exits the banking industry

Neobank Volt exits the banking industry

Digital Nation

The security threat of quantum computing
The security threat of quantum computing
COVER STORY: Operationalising net zero through the power of IoT
COVER STORY: Operationalising net zero through the power of IoT
IBM global chief data officer on the rise of the number crunchers
IBM global chief data officer on the rise of the number crunchers
Integrity, ethics and board decisions in the digital age
Integrity, ethics and board decisions in the digital age
Crypto experts optimistic about future of Bitcoin: Block
Crypto experts optimistic about future of Bitcoin: Block
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.