The August batch of Patch Tuesday updates includes 120 updates for the Microsoft suite, with 17 fixes rated as Critical, and the remaining 103 ranked as Important. CVE-2020-1380 is a critical Internet Explorer (IE) vulnerability that can be abused for remote code execution (RCE), while CVE-2020-1464 is a Windows 10 security gap that can be used for spoofing. Administrators are advised to update their systems as soon as possible as both flaws have been found being exploited in the wild. The Zero Day Initiative (ZDI) disclosed 11 flaws, five of which are critical bugs that disclosed RCE vulnerabilities, while the remaining six are rated as important vulnerabilities that can be abused to gain escalation of privileges, RCE, information disclosure, and spoofing.
Currently abused in the wild
Two of the fixes address updates for vulnerabilities currently being exploited in the wild. CVE-2020-1380 is a scripting engine memory corruption vulnerability in IE11 that allows an attacker to execute arbitrary code as the current user when abused. The scripting engine can be corrupted in the way it handles objects in memory and allows an attacker to view and edit data, create new accounts with full user rights, and install other programs if the logged-in user has full administrative rights.
Malicious actors can use several methods to exploit this gap. An attacker can create a specially crafted website to exploit the flaw through IE by prompting the user with social engineering techniques, or by embedding ActiveX controls to open it with an IE browser. They can also use compromised websites or pages that accept or host user-generated content and advertisements that could exploit the vulnerability.
Meanwhile, CVE-2020-1464 is a spoofing vulnerability that occurs when Windows incorrectly validates files’ digital signatures. An attacker can exploit this flaw to bypass security features and load malicious files, such as PDFs or Office file documents, onto systems.
Other critical IE, Outlook and HTML flaws via RCE
This release also includes three other fixes for critical network vulnerabilities. CVE-2020-1567 is an MSHTML engine improper input validation flaw that an attacker can exploit using a specially crafted file loaded by the current user to run arbitrary code. If the current user has full administrative rights in the system, the attacker can use it to install programs; view, change, and delete data; and create new accounts with the same user rights.
CVE-2020-1483 is an Outlook memory corruption vulnerability that can be used to run arbitrary code in the current user’s context. It affects a user with full administrative rights more severely compared to a user with fewer rights, but will nonetheless have some control and make unauthorized changes in the software. An attacker can exploit this flaw by convincing a user to open a malicious email or attachment, or use a compromised or malicious website via an embedded link included in the message. The preview pane can also serve as an attack vector in versions of Microsoft 365, Office 2019, and Outlook.
CVE-2020-1570 can be exploited by an attacker to run malicious code remotely through IE. This scripting engine memory corruption gap could allow an attacker to take control of a system with full user rights. Similar to CVE-2020-1380, an attacker can compromise legitimate websites or create a specific page to exploit the vulnerability and prompting the user to load the site using IE.
Trend Micro solutions
Vulnerabilities being exploited in the wild imply that cybercriminals may already be studying or creating routines that can abuse these gaps in systems. And while security administrators might simultaneously implement some of the updates, users — especially those who are currently working from home — are advised to download the individual patches for their systems immediately.
Trend Micro™ Deep Security™ and Vulnerability Protection protect users from exploits that target these vulnerabilities via the following rules:
- 1010439 – Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2020-1570)
- 1010441 – Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2020-1380)
- 1010442 – Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2020-1567)
- 1010453 – Microsoft Windows Codecs Library Remote Code Execution Vulnerability (CVE-2020-1574)
- 1010454 – Microsoft Windows Codecs Library Remote Code Execution Vulnerability (CVE-2020-1585)
- 1010455 – Microsoft Windows DirectWrite Information Disclosure Vulnerability (CVE-2020-1577)
Trend Micro™ TippingPoint® protects customers through the following rules:
- 37953: HTTP: Microsoft Internet Explorer Remote Code
- 37954: HTTP: Microsoft Internet Explorer Use-After-Free
- 37955: HTTP: Microsoft Internet Explorer Use-After-Free