Microsoft has released a new batch of regular security updates for Windows and other supported software. With fixes for a whopping 129 vulnerabilities, including 11 rated as critical, the latest Patch Tuesday is the bulkiest on record.
Importantly, however, none of the flaws had been disclosed or spotted as being under active exploitation prior to the release. A little more than half of them fell into the category of privilege escalation flaws in various Windows components, though none was rated as critical.
Still, there are a number of vulnerabilities that merit close attention, including because they are rated critical and could, in some scenarios, be abused by bad actors to take control of vulnerable systems remotely and with no help from victims.
The Windows VBScript scripting engine, for one, contained a trio of critical remote-code execution (RCE) flaws – CVE-2020-1213, CVE-2020-1216 and CVE-2020-1260, each of which was given the "exploitation more likely" rating on Microsoft’s Exploitability Index.
Successful abuse of any of these vulnerabilities could give the attacker the same user rights as those of the current user, including potentially admin rights. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” said Microsoft.
One RCE vulnerability, CVE-2020-1248, was fixed in the Windows Graphics Device Interface (GDI). Caused by how GDI handles objects in memory, the vulnerability could enable an attacker to seize control of a vulnerable system. One attack scenario could involve enticing the target to open a malicious attachment.
A bunch of holes in SharePoint were also plugged with the latest update. This includes CVE-2020-1181, a critical-rated RCE flaw that has to do with Microsoft SharePoint Server failing to properly identify and filter unsafe ASP.Net web controls. “An authenticated attacker who successfully exploited the vulnerability could use a specially crafted page to perform actions in the security context of the SharePoint application pool process,” said Microsoft.
SMB bleeding
The Server Message Block (SMB) protocol received patches for three important-ranked flaws that were all given the "exploitation more likely" rating.
Per this summary by the SANS Technology Institute, this month’s highest CVSS score overall – 8.6 out of 10 – was given to CVE-2020-1206, an information disclosure vulnerability in SMBv3 that has to do with how the protocol handles certain requests. “An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system,” said Microsoft.
Dubbed SMBleed, this new vulnerability in the SMB decompression functionality is present in Windows 10 versions 1903, 1909 and 2004. Details about the vulnerability were published by researchers at ZecOps, who discovered it while looking at SMBGhost, another – and more serious – security hole in the protocol that was patched via an out-of-band update three months ago.
SMBleed could enable attackers to leak kernel memory remotely; combined with SMBGhost, it allows achieving pre-auth Remote Code Execution (RCE), said the researchers.
The wormable SMBGhost bug, meanwhile, allows attackers to spread malware from machine to machine with no user interaction. Citing open source reports, the Unites States’ Cybersecurity & Infrastructure Security Agency (CISA) warned last week that threat actors were already targeting SMBGhost, indexed as CVE-2020-0796, with publicly available proof-of-concept (PoC) code.
Also patched this month was an RCE vulnerability affecting SMBv1 and indexed as CVE-2020-1301. It may bring some echoes of a security loophole hole in SMBv1 that was exploited by EternalBlue and facilitated the WannaCryptor aka WannaCry outbreak in 2017. The third newly-fixed SMB flaw is CVE-2020-1284, a denial-of-service vulnerability in SMBv3 that attackers could exploit in order to crash vulnerable systems.
You would be well advised to apply all available updates as soon as practicable. Should you experience delays in receiving the patches, you can download the updates from Microsoft Update Catalog.