The August 2020 Security Update Review
August 11, 2020 | Dustin ChildsAugust is here and so is the latest batch of security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of security patches for this month.
Adobe Patches for August 2020
The Adobe release for August includes only two patches. The update for Adobe Reader fixes a total of 26 bugs, eight of which came through the ZDI program. Most of these are Out-Of-Bounds (OOB) Reads, but there are also some Use-After-Free (UAF), OOB Write, stack exhaustion, and memory corruption bugs addressed. One interesting bug being fixed here is CVE-2020-9697, which was found by ZDI Vulnerability Analysis Manager Abdul-Aziz Hariri. The reliable info disclosure leak appears to have existed for more than a decade. We’ll tweet out the proof-of-concept demonstration for this one tomorrow. Yes – the demo is short enough to fit in a tweet. Also of note is the Critical-rated CVE-2020-9712. This bug could allow attackers to bypass HTML parsing mitigations within Acrobat Pro DC. Through this, an attacker can trigger the parsing of HTML documents remotely from within Acrobat. The other patch fixes one privilege escalation bug in Adobe Lightroom.
None of the bugs patched by Adobe today are listed as publicly known or under active attack at the time of release. In the past two months, Adobe released additional patches later in the month. It will be interesting to see if that trend continues.
Microsoft Patches for August 2020
For August, Microsoft released patches for 120 CVEs in Microsoft Windows, Edge (EdgeHTML-based and Chromium-based), ChakraCore, Internet Explorer (IE), Microsoft Scripting Engine, SQL Server, .NET Framework, ASP.NET Core, Office and Office Services and Web Apps, Windows Codecs Library, and Microsoft Dynamics. That’s now six straight months of 110+ CVEs and brings the yearly total to 862 – 11 more patches than Microsoft shipped in all of 2019. If they maintain this pace, it’s quite possible for them to ship more than 1,300 patches this year. This volume – along with difficult servicing scenarios – puts extra pressure on patch management teams.
Of these 120 patches, 17 are listed as Critical and 103 are listed as Important in severity. Eleven of these bugs came through the ZDI program. One of these bugs is listed as being publicly known and two are listed as being under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the bugs currently being exploited in the wild:
- CVE-2020-1380 - Scripting Engine Memory Corruption Vulnerability
This bug in IE is currently under active attack. Attackers could run their code on a target system if an affected version of IE views a specially crafted website. It is not known how extensive the attacks are, but considering this bug was reported by Kaspersky, it’s reasonable to assume malware is involved. If you’re still using IE, make this one your top priority.
- CVE-2020-1464 - Windows Spoofing Vulnerability
This spoofing bug is publicly known and currently being exploited. It allows an attacker to load improperly signed files, bypassing signature verification. Microsoft does not list where this is public or how many people are affected by the attacks. Regardless, this bug affects all supported versions of Windows, so test and deploy this one quickly.
- CVE-2020-1472 - NetLogon Elevation of Privilege Vulnerability
It’s rare to see a Critical-rated elevation of privilege bug, but this one deserves it. A vulnerability in the Netlogon Remote Protocol (MS-NRPC) could allow attackers to run their applications on a device on the network. An unauthenticated attacker would use MS-NRPC to connect to a Domain Controller (DC) to obtain administrative access. What’s worse is that there is not a full fix available. This patch enables the DCs to protect devices, but a second patch currently slated for Q1 2021 enforces secure Remote Procedure Call (RPC) with Netlogon to fully address this bug. After applying this patch, you’ll still need to make changes to your DC. Microsoft published guidelines to help administrators choose the correct settings.
- CVE-2020-1585 - Microsoft Windows Codecs Library Remote Code Execution Vulnerability
This is one of two codec bugs reported by ZDI’s Abdul-Aziz Hariri. The bug allows for code execution if an attacker can convince a user to view a specially crafted image file. The “AV1 Video Extension” codec is impacted here, and it is only available through the Windows Store, which means the patch is only available through the Windows store. The codec is not a default component, so if you have offline systems, they are unlikely to have the codec installed.
Here’s the full list of CVEs released by Microsoft for August 2020.
CVE | Title | Severity | Public | Exploited | XI - Latest | XI - Older | Type |
CVE-2020-1464 | Windows Spoofing Vulnerability | Important | Yes | Yes | 0 | 0 | Spoof |
CVE-2020-1380 | Scripting Engine Memory Corruption Vulnerability | Critical | No | Yes | 0 | N/A | RCE |
CVE-2020-1046 | .NET Framework Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-1525 | Media Foundation Memory Corruption Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-1379 | Media Foundation Memory Corruption Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-1477 | Media Foundation Memory Corruption Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-1492 | Media Foundation Memory Corruption Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-1554 | Media Foundation Memory Corruption Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-1568 | Microsoft Edge PDF Remote Code Execution Vulnerability | Critical | No | No | 2 | N/A | RCE |
CVE-2020-1483 | Microsoft Outlook Memory Corruption Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-1560 | Microsoft Windows Codecs Library Remote Code Execution Vulnerability | Critical | No | No | 2 | N/A | RCE |
CVE-2020-1574 | Microsoft Windows Codecs Library Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-1585 | Microsoft Windows Codecs Library Remote Code Execution Vulnerability | Critical | No | No | N/A | 2 | RCE |
CVE-2020-1567 | MSHTML Engine Remote Code Execution Vulnerability | Critical | No | No | 1 | 1 | RCE |
CVE-2020-1472 | NetLogon Elevation of Privilege Vulnerability | Critical | No | No | 2 | 2 | EoP |
CVE-2020-1555 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 2 | N/A | RCE |
CVE-2020-1570 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 | RCE |
CVE-2020-1339 | Windows Media Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-1476 | ASP.NET and .NET Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1597 | ASP.NET Core Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
CVE-2020-1511 | Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1577 | DirectWrite Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-1479 | DirectX Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1473 | Jet Database Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-1557 | Jet Database Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-1558 | Jet Database Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-1564 | Jet Database Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-1509 | Local Security Authority Subsystem Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1487 | Media Foundation Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-1478 | Media Foundation Memory Corruption Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-1582 | Microsoft Access Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-1591 | Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability | Important | No | No | 2 | N/A | XSS |
CVE-2020-1569 | Microsoft Edge Memory Corruption Vulnerability | Important | No | No | 2 | N/A | RCE |
CVE-2020-1497 | Microsoft Excel Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-1494 | Microsoft Excel Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-1495 | Microsoft Excel Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-1496 | Microsoft Excel Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-1498 | Microsoft Excel Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-1504 | Microsoft Excel Remote Code Execution Vulnerability | Important | No | No | N/A | 2 | RCE |
CVE-2020-1561 | Microsoft Graphics Components Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-1562 | Microsoft Graphics Components Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-1581 | Microsoft Office Click-to-Run Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1563 | Microsoft Office Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-1573 | Microsoft Office SharePoint XSS Vulnerability | Important | No | No | 2 | 2 | XSS |
CVE-2020-1580 | Microsoft Office SharePoint XSS Vulnerability | Important | No | No | 2 | 2 | XSS |
CVE-2020-1493 | Microsoft Outlook Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-1505 | Microsoft SharePoint Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-1499 | Microsoft SharePoint Spoofing Vulnerability | Important | No | No | 2 | 2 | Spoof |
CVE-2020-1500 | Microsoft SharePoint Spoofing Vulnerability | Important | No | No | 2 | 2 | Spoof |
CVE-2020-1501 | Microsoft SharePoint Spoofing Vulnerability | Important | No | No | 2 | 2 | Spoof |
CVE-2020-1455 | Microsoft SQL Server Management Studio Denial of Service Vulnerability | Important | No | No | 2 | N/A | DoS |
CVE-2020-1502 | Microsoft Word Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-1503 | Microsoft Word Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-1583 | Microsoft Word Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0604 | Visual Studio Code Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-1510 | Win32k Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-1571 | Windows 10 Update Assistant Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1531 | Windows Accounts Control Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1587 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
CVE-2020-1488 | Windows AppX Deployment Extensions Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1459 | Windows ARM Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-1535 | Windows Backup Engine Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1536 | Windows Backup Engine Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1539 | Windows Backup Engine Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1540 | Windows Backup Engine Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1541 | Windows Backup Engine Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1542 | Windows Backup Engine Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1543 | Windows Backup Engine Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1544 | Windows Backup Engine Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1545 | Windows Backup Engine Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1546 | Windows Backup Engine Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1547 | Windows Backup Engine Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1551 | Windows Backup Engine Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1534 | Windows Backup Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1549 | Windows CDP User Components Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1550 | Windows CDP User Components Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1489 | Windows CSC Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1513 | Windows CSC Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1527 | Windows Custom Protocol Engine Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1584 | Windows dnsrslvr.dll Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
CVE-2020-1565 | Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1517 | Windows File Server Resource Management Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1518 | Windows File Server Resource Management Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1520 | Windows Font Driver Host Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-1579 | Windows Function Discovery SSDP Provider Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1529 | Windows GDI Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
CVE-2020-1480 | Windows GDI Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
CVE-2020-1467 | Windows Hard Link Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1474 | Windows Image Acquisition Service Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-1485 | Windows Image Acquisition Service Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-1417 | Windows Kernel Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1486 | Windows Kernel Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1566 | Windows Kernel Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
CVE-2020-1578 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 1 | 1 | Info |
CVE-2020-1526 | Windows Network Connection Broker Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1337 | Windows Print Spooler Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1528 | Windows Radio Manager API Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1377 | Windows Registry Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1378 | Windows Registry Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1530 | Windows Remote Access Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1537 | Windows Remote Access Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1466 | Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability | Important | No | No | N/A | 2 | DoS |
CVE-2020-1383 | Windows RRAS Service Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-1553 | Windows Runtime Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1475 | Windows Server Resource Management Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1521 | Windows Speech Runtime Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1522 | Windows Speech Runtime Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1524 | Windows Speech Shell Components Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1512 | Windows State Repository Service Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-1490 | Windows Storage Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1515 | Windows Telephony Server Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1519 | Windows UPnP Device Host Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1538 | Windows UPnP Device Host Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1548 | Windows WaasMedic Service Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-1533 | Windows WalletService Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1556 | Windows WalletService Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1552 | Windows Work Folder Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1470 | Windows Work Folders Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1516 | Windows Work Folders Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1484 | Windows Work Folders Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
Of the remaining Critical-rated patches, there’s another Outlook bug that could allow code execution through the Preview Pane. That’s makes two months in a row for this type of vulnerability. There’s a patch for an RCE in .NET Framework, and some Windows versions require two patches to be fully protected. There are five patches for the Windows Media Foundation that could allow RCE. The Edge (EdgeHTML-based) PDF reader gets a patch for an RCE in viewing PDFs. In addition to the one mentioned above, there are a couple of other codecs being fixed this month. Again, you’ll need to access the Windows Store for those patches. The remaining Critical-rated patches involve browse-and-own scenarios for various components.
As usual, patches for EoP bugs dominate this release with 61 in total. A total of 13 of these bugs are found in the Windows Backup Engine. Other Windows components getting patched include the Windows Registry, the kernel, WalletService, GDI, and the Print Spooler service. The patch for Print Spooler was reported by several people as this resulted from an incomplete fix in May. ZDI researcher Simon Zuckerbraun will have more details about both patches shortly. It’s definitely worth a read.
Continuing with the Important-rated patches, 17 could result in code execution. These bugs are mostly found in the Office suite of products, but also include Visual Studio, Edge, and the Jet Database Engine. Interestingly, there is an Important-rated RCE vulnerability listed in the Font Driver. These are typically listed as Critical, so it’s not clear why this one does not rate as highly.
There are three Denial-of-Service (DoS) bugs patched in this release. The most severe impacts the Windows Remote Desktop Gateway. Attackers could force it to stop responding by connecting to the systems and sending it specially crafted requests.
Bugs allowing information disclosure receive 16 patches this month. Of note is another bug in Outlook that can be reached via the Preview Pane. In this case, code execution is not possible, thus the Important versus Critical rating. All of the info disclosure bugs this month leak memory but no PII or other sensitive data. The release is rounded out by patches for three spoofing bugs in SharePoint. There are also patches for two cross-site scripting (XSS) bugs in SharePoint and one in Dynamics.
The lone advisory for this month is the revision update to the Windows Servicing Stack, which adds updates for all supported versions of Windows.
Looking Ahead
The next Patch Tuesday falls on September 8, and we’ll return with details and patch analysis then. Until then, stay safe, enjoy your patching, and may all your reboots be smooth and clean!