With its latest regularly scheduled security update, Microsoft has fixed 120 software vulnerabilities, including 17 critical flaws, one of which is a zero-day bug that has been actively exploited in the wild.
Microsoft this year has already eclipsed the total number of patches it issued during all of 2019 -- a pace that experts at Trend Micro's Zero-Day Initiative (ZDI) says presents a patching management challenge for businesses.
“This brings the total number of Microsoft patches released this year to 862 – 11 more patches than Microsoft shipped in all of 2019,” said ZDI in a blog post today. “If they maintain this pace, it’s quite possible for them to ship more than 1,300 patches this year. This volume – along with difficult servicing scenarios – puts extra pressure on patch management teams.”
The first zero-day is CVE-2020-1380, a memory corruption vulnerability that can result in remote code execution when the scripting engine mishandles objects in memory in Internet Explorer. Attackers can exploit this bug to gain the same user rights as the current user, which could lead to a systems takeover allowing for the installation of programs, the manipulation data or the creation of privileged accounts, if the user has administrative privileges.
"In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website," Microsoft explains in its security update. "An attacker could also embed an ActiveX control marked 'safe for initialization' in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability."
Kaspersky reported the flaw after investigating an attempted attack against a South Korean company -- an attack the company attributes with medium confidence to suspected South Korean APT group DarkHotel. According to Kaspersky, the remote code execution attempt involved a two-stage exploit chain using both CVE-2020-1380 and a privilege escalation in the Windows printer service that was patched last June.
“When in the wild attacks with zero-day vulnerabilities happen, it is always big news for the cybersecurity community,” said Boris Larin, the security expert at Kaspersky who is specifically credited for the bug find. “Successful detection of such a vulnerability immediately pressures vendors to issue a patch and forces users to install all necessary updates."
"What is particularly interesting in the discovered attack is that the previous exploits we found were mainly about elevation of privileges," Larin continued. "However, this case includes an exploit with remote code execution capabilities, which is more dangerous. Coupled with the ability to affect the latest Windows 10 builds, the discovered attack is truly a rare thing nowadays. It reminds us once again to invest into prominent threat intelligence and proven protective technologies to be able to proactively detect the latest zero-day threats.”
"It is not known how extensive the attacks are, but considering this bug was reported by Kaspersky, it’s reasonable to assume malware is involved. If you’re still using IE, make this one your top priority," said ZDI.
Microsoft patched a second actively exploited zero-day bug, CVE-2020-1464, which was classified as important, not critical. The flaw is a Windows spoofing vulnerability, caused by the incorrect validation of file signatures, that could enable a malicious actor to "bypass security features and load improperly signed files," Microsoft warns in its advisory.
In addition to CVE-2020-1380, the remaining 16 critical vulnerabilities consist of two additional bugs in the scripting engine, one in the .NET Framework, five in Media Foundation, one in Edge, one Outlook, three in the Window Codecs Library, one in the MSHTML Engine, one in NetLogon, and one in Windows Media. All but one are remote code execution flaws, while the remainder is an elevation of privileges.