Automox Patch Tuesday Breakdown: August 2020
elcome to August’s Patch Tuesday Breakdown.
This month’s Patch Tuesday release from Microsoft includes fixes for 120 vulnerabilities -- including two zero-day vulnerabilities. As zero days, CVE-2020-1380 and CVE-2020-1464 have already been actively exploited in the wild, but they are not the only vulnerability to be concerned about this month. In total, there are 17 critical vulnerabilities getting patched by Microsoft this month. However, this month’s patch update showcases that CVSS rating isn’t the end-all, be-all of patching, as one of this month’s exploited vulnerabilities is rated important. Any vulnerability can be exploited, regardless of its rating.
For August, Adobe has also released fixes for Lightroom, Acrobat and Reader. Additionally, Adobe released a number of out-of-band patches throughout July, highlighting the importance of keeping a close eye on your patch status. See July’s Patch Tuesday Breakdown for more coverage of last month’s updates.
Overall, August is going to be another busy month for system administrators and security operations. Heavy patch loads are the new normal thanks to an expanding corporate attack surface. As many organizations are now discovering, securing all parts of a digital environment presents a unique challenge in our increasingly remote world. When devices are on-premise, corporate infrastructure provides an array of security tools that help protect networks from potential threats -- but remote devices tend to exist outside of the corporate safety net and are particularly vulnerable. For this reason, ensuring that remote devices can be patched quickly and regularly is key to managing remote endpoints.
Microsoft Patches Exploited Vulnerabilities
For August, Microsoft has released a patch for a critical zero-day vulnerability, CVE-2020-1380. This is a remote code execution vulnerability that has already been reported as being exploited in the wild; it specifically targets the Internet Explorer rendering engine in Microsoft Office or Internet Explorer and a successful attack would allow malicious actors to gain rights within the context of the current user. There are multiple ways an attacker can seek to exploit this vulnerability, such as tricking users into visiting a malicious website. As a tried-and-true method of attack, CVE-2020-1380 is especially concerning for the remote workforce, as the lack of corporate infrastructure (and the safety nets that come with it) makes for easy targets.
Microsoft has also released a patch for a second publicly known and exploited threat this month: CVE-2020-1464, a spoofing vulnerability. With a rating of 5.3, this is the kind of vulnerability that may not make the priority list for overworked system admins -- but, as the reports of exploitation show, even vulnerabilities with lower CVSS ratings can still be a significant threat to an organization’s security. Both legacy and newer versions of Windows and Windows Server have reportedly been victimized through this vulnerability. Attackers can seek to exploit CVE-2020-1464 by using a spoofed signature attached to a malicious file, allowing them to bypass security features and load malicious files.
More Updates From Microsoft
For August, Microsoft released a total of 120 patches, 17 of which are rated critical. In addition to the zero-days, these include:
CVE-2020-1555 and CVE-2020-1570 are similar to one of this month’s zero-day vulnerabilities, CVE-2020-1380. However, these vulnerabilities have not yet been exploited in the wild. CVE-2020-1570 is a second remote code execution vulnerability seen in Internet Explorer, while -1555 affects Microsoft Edge.
Another critical vulnerability getting addressed this month is CVE-2020-1483, which affects Microsoft Outlook and can be exploited through email- or web-based attack scenarios. Successful exploitation could allow an attacker to run arbitrary code within the context of the current user. From there, attackers can steal data, run backdoor installations or even engage in lateral movement within the network.
CVE-2020-1560, -1574 and -1585 are all critical memory corruption bugs which affect Microsoft Windows Codecs Library and can lead to arbitrary code execution. There is also a remote code execution vulnerability in Windows Media Audio Codec, CVE-2020-1339. Successful exploitation of this vulnerability can allow an attack to seize control of the victim machine.
A critical remote code execution vulnerability (CVE-2020-1046) in the .NET Framework is also getting addressed this month. Like other remote code execution vulnerabilities, CVE-2020-1046 potentially allows attackers to gain access to critical data, as well as lateral movement across a network. A critical remote code execution vulnerability found in MSHTML Engine, CVE-2020-1567, is getting patched this month as well.
Remote code execution is not the only thing to worry about this month; CVE-2020-1472 is a critical elevation of privilege vulnerability found in the Netlogon process on Windows Server that earned an upgrade from CVSS 8.3 to 10 late last night. Microsoft is addressing CVE-2020-1472 in a two-part rollout and will release the second fix Q1 of 2020.
There are also a bevvy of memory-corruption vulnerabilities found in Windows Media Foundation getting patched for August. CVE-2020-1525, -1379, -1477, -1492, -1554 can be exploited in a variety of ways, such as tricking users into visiting malicious webpages or opening malicious files. If successful, attackers can use these vulnerabilities to create new user counts, view or change data and install programs. Microsoft addresses this issue by correcting how Windows Media Foundation handles objects in memory.
Other Updates For August
For August, Adobe has released a total of 26 updates addressing vulnerabilities in Lightroom, Acrobat and Reader. Of these, 11 are rated critical because they allow attackers to bypass security features or to execute remote code. However, these may not be the only updates that system admins need to concern themselves with; Adobe issued a number of out-of-band updates throughout the course of July which will need to be deployed as well.
As the remote workforce continues to grow in light of the COVID-19 pandemic, out-of-band updates and heavy patch loads have become the new normal. For many organizations, the sudden shift to remote work also represents a sudden increase in the size of their attack surface. Without sufficient endpoint management, remote devices can quickly become easy targets for malicious actors. Ensuring that devices are getting patched regularly requires an effective patch management strategy -- one which includes full visibility over remote endpoints and a proactive approach to patching.
For endpoint and management strategies to see real pre-incursion value, organizations need to ensure that patches are being deployed before attackers can weaponize them. In the case of a zero-day vulnerability, that means deploying a patch within 24 hours. Staying up-to-date when there are hundreds of patches to deploy can be a challenge, but there are new approaches to patch management that can help.
About Automox Automated Patch Management
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, macOS, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.