➠ The August 2020 Security Update Review

August is here and so is the latest batch of security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of security patches for this month.

Adobe Patches for August 2020

The Adobe release for August includes only two patches. The update for Adobe Reader fixes a total of 26 bugs, eight of which came through the ZDI program. Most of these are Out-Of-Bounds (OOB) Reads, but there are also some Use-After-Free (UAF), OOB Write, stack exhaustion, and memory corruption bugs addressed. One interesting bug being fixed here is CVE-2020-9697, which was found by ZDI Vulnerability Analysis Manager Abdul-Aziz Hariri. The reliable info disclosure leak appears to have existed for more than a decade. We’ll tweet out the proof-of-concept demonstration for this one tomorrow. Yes – the demo is short enough to fit in a tweet. Also of note is the Critical-rated CVE-2020-9712. This bug could allow attackers to bypass HTML parsing mitigations within Acrobat Pro DC. Through this, an attacker can trigger the parsing of HTML documents remotely from within Acrobat. The other patch fixes one privilege escalation bug in Adobe Lightroom. 

None of the bugs patched by Adobe today are listed as publicly known or under active attack at the time of release. In the past two months, Adobe released additional patches later in the month. It will be interesting to see if that trend continues.

Microsoft Patches for August 2020

For August, Microsoft released patches for 120 CVEs in Microsoft Windows, Edge (EdgeHTML-based and Chromium-based), ChakraCore, Internet Explorer (IE), Microsoft Scripting Engine, SQL Server, .NET Framework, ASP.NET Core, Office and Office Services and Web Apps, Windows Codecs Library, and Microsoft Dynamics. That’s now six straight months of 110+ CVEs and brings the yearly total to 862 – 11 more patches than Microsoft shipped in all of 2019. If they maintain this pace, it’s quite possible for them to ship more than 1,300 patches this year. This volume – along with difficult servicing scenarios – puts extra pressure on patch management teams.

Of these 120 patches, 17 are listed as Critical and 103 are listed as Important in severity. Eleven of these bugs came through the ZDI program. One of these bugs is listed as being publicly known and two are listed as being under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the bugs currently being exploited in the wild:

-       CVE-2020-1380 - Scripting Engine Memory Corruption Vulnerability
This bug in IE is currently under active attack. Attackers could run their code on a target system if an affected version of IE views a specially crafted website. It is not known how extensive the attacks are, but considering this bug was reported by Kaspersky, it’s reasonable to assume malware is involved. If you’re still using IE, make this one your top priority.

-       CVE-2020-1464 - Windows Spoofing Vulnerability
This spoofing bug is publicly known and currently being exploited. It allows an attacker to load improperly signed files, bypassing signature verification. Microsoft does not list where this is public or how many people are affected by the attacks. Regardless, this bug affects all supported versions of Windows, so test and deploy this one quickly.

-       CVE-2020-1472 - NetLogon Elevation of Privilege Vulnerability
It’s rare to see a Critical-rated elevation of privilege bug, but this one deserves it. A vulnerability in the Netlogon Remote Protocol (MS-NRPC) could allow attackers to run their applications on a device on the network. An unauthenticated attacker would use MS-NRPC to connect to a Domain Controller (DC) to obtain administrative access. What’s worse is that there is not a full fix available. This patch enables the DCs to protect devices, but a second patch currently slated for Q1 2021 enforces secure Remote Procedure Call (RPC) with Netlogon to fully address this bug. After applying this patch, you’ll still need to make changes to your DC. Microsoft published guidelines to help administrators choose the correct settings. 

-       CVE-2020-1585 - Microsoft Windows Codecs Library Remote Code Execution Vulnerability
This is one of two codec bugs reported by ZDI’s Abdul-Aziz Hariri. The bug allows for code execution if an attacker can convince a user to view a specially crafted image file. The “AV1 Video Extension” codec is impacted here, and it is only available through the Windows Store, which means the patch is only available through the Windows store. The codec is not a default component, so if you have offline systems, they are unlikely to have the codec installed. 

Here’s the full list of CVEs released by Microsoft for August 2020.