More Microsoft Zero-Day Flaws Being ExploitedMicrosoft and CISA Recommend Immediate Patching of Critical Bugs
Two critical, zero-day vulnerabilities affecting Internet Explorer and multiple versions of the Windows operating system are being exploited in the wild, Microsoft and the U.S. Cybersecurity and Infrastructure Security Agency warn, urging prompt patching
The warnings cover CVE-2020-1380, a remote code vulnerability in Internet Explorer 11 and CVE-2020-1464, a spoofing vulnerability in Windows 10, 8 and 7 as well as separate instances of Windows Server.
See Also: The State of the Software Supply Chain
Internet Explorer Vulnerability
CISA notes that the vulnerability affecting Internet Explorer could allow an attacker to corrupt a device's memory, enabling arbitrary code execution. This could enable a threat actor to install programs; view, change, or delete data; and create new accounts with full user rights.
"An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” Microsoft notes. “If the exploited user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.”
Microsoft adds that threat actors could use this vulnerability to set up a man-in-the-middle attack, with a threat actor luring victims to a malicious website that can exploit the vulnerability.
"Often, memory corruption vulnerabilities are 'chained' with other vulnerabilities resulting in a full system compromise. This patch should be prioritized for scripting engines," says Animesh Jain, a vulnerability signatures product manager for security firm Qualys.
The bug affecting multiple versions of Windows, CVE-2020-1464, is a spoofing vulnerability that exists when the operating system incorrectly validates file signatures, according to Microsoft and CISA.
An attacker who successfully exploited this vulnerability could bypass security features and load improperly signed files tricking the operating system into thinking it is legitimate, according to Microsoft.
"This spoofing bug is publicly known and currently being exploited,” Dustin Childs, a security analyst for Trend Micro's Zero Day Initiative, writes in a blog post. “Microsoft does not list where this is public or how many people are affected by the attacks. Regardless, this bug affects all supported versions of Windows, so test and deploy this patch quickly,"
Microsoft's 2020 Vulnerabilities
Microsoft on Tuesday released fixes for 120 vulnerabilities affecting 13 products and services. Since the start of this year, Microsoft has released 862 security fixes, 11 more than it did in all of 2019.
"If they maintain this pace, it's quite possible for them to ship more than 1,300 patches this year. This volume - along with difficult servicing scenarios - puts extra pressure on patch management teams," Childs says.
In July, Microsoft urged its customers to patch a "wormable" vulnerability affecting the Windows server operating system that could have enabled the attackers to exploit an organization's entire infrastructure by crafting malicious DNS inquires (see: Microsoft: Patching 'Wormable' Windows Server Flaw Is Urgent).