With its August 2020 Fix Tuesday updates, Microsoft has fixed 120 vulnerabilities including a Windows spoofing bug and an Internet Explorer remote code execution vulnerability that was exploited in attacks.
The vulnerability in Windows spoofing, monitored as CVE-2020-1464, is linked to the improper validation of file signatures by Windows. An attacker can exploit this flaw to bypass the security features and load files that are incorrectly signed. Many Windows versions are affected, including Windows 7 and Windows Server 2008, which end support for.
Microsoft says it is aware of attempts to hack both the new versions of Windows and older ones.
The second actively exploited vulnerability patched this month is CVE-2020-1380, a remote execution of code related to the way Internet Explorer ‘s scripting engine handles objects in memory.
The security hole can be exploited by luring the targeted user to a specially crafted website, persuading them to open a malicious Office document, or by attacking with malvertising.
Researchers at Kaspersky have sent CVE-2020-1380 to Microsoft and the security firm will likely release some information about the vulnerability and the attacks in the hours or days ahead.
Of the remaining vulnerabilities Microsoft patched this month, 15 were rated critical. They mainly impact Windows, but some affect Edge, Internet Explorer, Outlook, and the. NET framework, and most can be abused to execute remote code.
Over 100 bugs were rated as major. They impact Windows, Dynamics 365, Office, Outlook, SharePoint, and Visual Studio Code and can be exploited for remote execution of code, escalation of rights, XSS attacks, DoS attacks, and information gain.
This is the sixth month in a row with Microsoft’s over 110 CVEs, noted Dustin Childs of Trend Micro’s Zero Day Initiative, which analyzed patches from this month.
“It brings the total number of Windows patches released this year to 862 – 11 more patches shipped in all of 2019 than Apple,” Childs said. “If they sustain that speed, shipping more than 1,300 patches this year is very likely for them. This volume – along with challenging service situations – places additional pressure on management teams to handle patches.