Microsoft Patch Tuesday August 2020: vulnerabilities with Detected Exploitation, useful for phishing and others

This time I would like to review not only the vulnerabilities that were published in the last August Microsoft Patch Tuesday, but also the CVEs that were published on other, not Patch Tuesday, days. Of course, if there are any.

But let’s start with the vulnerabilities that were presented on MS Patch Tuesday on August 11th. There were 120 vulnerabilities: 17 of them are Critical and 103 Important. My vulristics script could not find public exploits for these vulnerabilities on Vulners.com.

For the first time in a long time, there were 2 Exploitation Detected vulnerabilities.

Exploitation detected (2)

Remote Code Execution

Spoofing

Windows spoofing (CVE-2020-1464) is good for phishing. “In an attack scenario, an attacker could bypass security features intended to prevent improperly signed files from being loaded.”

RCE in Internet Explorer (CVE-2020-1380) might be interesting in the context of “An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine”.

Exploitation more likely (8)

Remote Code Execution

Elevation of Privilege

Information Disclosure

For some reason, all VM vendors ignored Exploitation more likely vulnerabilities this time. Although RCE in Internet Explorer (CVE-2020-1570) and MSHTML Engine (CVE-2020-1567) may be interesting.

Other Product based (31)

Media Foundation

Microsoft Excel

Microsoft SharePoint

Windows Backup Engine

This time, the products with the most vulnerabilities are Media Foundation, Microsoft Excel, Microsoft SharePoint and Windows Backup Engine. VM vendors pay attention to Memory Corruption  (in fact RCE) in Media Foundation, RCE in Microsoft Excel and Elevation of Privilege in Windows Backup Engine.

Other Vulnerability Type based (79)

Remote Code Execution

Denial of Service

Elevation of Privilege

Information Disclosure

Cross Site Scripting

If we look at the rest of the vulnerabilities, the most interesting are RCEs in Jet Database Engine (CVE-2020-1473CVE-2020-1557CVE-2020-1558CVE-2020-1564), Microsoft Edge PDF (CVE-2020-1568), Microsoft Windows Codecs Library (CVE-2020-1560CVE-2020-1574CVE-2020-1585) and Windows Media (CVE-2020-1339).

The second block is Elevation of Privilege in Local Security Authority Subsystem Service (LSASS) (CVE-2020-1509), Windows Print Spooler (CVE-2020-1337) and Netlogon (CVE-2020-1472). For the last one “an unauthenticated attacker could use MS-NRPC to connect to a domain controller as a domain administrator”.

Other vulnerabilities

Now let’s take a look at the vulnerabilities that were released from 07/15/2020 to 08/27/2020 excluding the August Patch Tuesday. I added support for such exceptions in report_ms_patch_tuesday.py in Vulristics. In fact, there were very few CVE vulnerabilities outside the Patch Tuesday.

Other Vulnerability Type based (2)

Remote Code Execution

  • Microsoft Dynamics 365 for Finance and Operations (on-premises) (CVE-2020-1182)

Elevation of Privilege

RCE in on-premises Microsoft Dynamics 365 for Finance and Operations. “An authenticated attacker with privileges to import and export data could exploit this vulnerability by sending a specially crafted file to a vulnerable Dynamics server”.

Elevation of Privilege in Microsoft Edge. “To exploit the vulnerability, the user must browse to a malicious website that is design to download a DLL file and click on the page to being the process”. But this vulnerability is surprisingly low-critical, only Moderate.

You may have heard about Microsoft unscheduled update to Windows Remote Access Elevation of Privilege released August 20. But it was about the same vulnerabilities (CVE-2020-1530CVE-2020-1537) that were presented in August Patch Tuesday, but fixes this vulnerability for older OS versions: Windows 8.1, RT 8.1, and Server 2012 R2.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.