Welcome back to this month’s Patch Tuesday. This month’s salvo of patches fix 120 vulnerabilities, 17 of which have been declared ‘Critical’ by Microsoft, and 2 of which have been exploited in the wild.
The first zero-day patched this month is a bug in the Windows OS. This vulnerability allows attackers to fool the OS into validating invalid file signatures, which allows them to bypass security features and load malicious files as if they came from a trusted source.
Internet Explorer Scripting Engine
Internet Explorer comes with a scripting engine to run online scripts in real time. The engine is also leveraged by Office products, such as rendering web pages in Word documents. An attacker who took advantage of this engine would be able to remotely execute code with the same security context of the current user. So if a victim were running an office product or Internet Explorer as an administrator, the attacker could gain complete control over the system.
Microsoft Office products got their usual attention this month. As mentioned above, Office products that leverage the IE scripting engine were vulnerable to maliciously crafted files. Attackers exploiting these vulnerabilities would be able to execute code within the security context of the current user. This once again reminds us to exercise the principle of least privilege.
Windows Server received a partial fix for CVE-2020-1472, which could allow an unauthenticated attacker to gain administrative access to a Windows domain controller and execute arbitrary commands. Since domain controllers hold the keys to the corporate network kingdom, this is a highly severe vulnerability.