Microsoft August 2020 Patch Tuesday fixes 120 vulnerabilities, two zero-day


Microsoft today began rolling out the August 2020 Patch Tuesday security updates.

This month, the company patched 120 vulnerabilities across 13 different products, from Edge to Windows, and from SQL Server to the .NET Framework.

Among the 120 vulnerabilities fixed this month, 17 bugs received the highest rating of “Critical”, and there are also two zero-day vulnerabilities exploited by hackers before Microsoft could deliver the patches today.

Zero-day # 1

The first of the two zero-day patches this month is a bug in the Windows operating system. Detected as CVE-2020-1464, Microsoft states that an attacker could exploit this vulnerability and incorrectly validate Windows signatures.

The OS maker says that attackers can (ab) use this bug to “bypass security features and load incorrectly signed files.”

As with all Microsoft security advice, technical details about the crash and the attacks in the real world are not made public. Microsoft security team uses this approach to prevent other hackers from wondering how and where the vulnerability was / remains, and prolongs the time it takes for other operators to appear in the wild.

Zero-day # 2

As for the second zero-day, this one is tracked as CVE-2020-1380, and resides in the scripting engine that ships with Internet Explorer.

Microsoft said it received a report from antivirus maker Kaspersky that hackers had found a bug code execution (RCE) in the IE scripting engine and where it was misused in real-world attacks.

While the bug is in the IE scripting machine, other native Microsoft apps are also affected, such as the company’s Office suite.

This is because Office apps use the IE scripting machine to embed and display web pages in Office documents, a feature where the scripting engine plays a major role.

This means that the bug can be exploited by luring users to malicious sites, or by sending them booby-trapped Office files.

Below is some useful information about the current Microsoft Patch Tuesday, as well as the security updates released by other companies this month, which sysadmins may also need to address, in addition to Microsoft’s batch.

  • The official Microsoft Security Update Guide portal lists all security updates in a filterable table.
  • Adobe security updates are detailed here.
  • SAP security updates are available here.
  • VMWare security updates are available here.
  • Citrix has also released some patches today.
  • The quarterly patches from Oracle (for Q2 2020, July edition) are available here.
  • Chrome 84 security updates are detailed here.
  • The Android Security Bulletin for August 2020 is detailed here. Patches started rolling out last week to users’ phones.

[ZDNet usually provides a list of all bugs patched each month, but today, the Microsoft API has been unresponsive. The list will be provided once the API is updated with this month’s updates.]