The latest Patch Tuesday
knocks out a record-high number of vulnerabilities, including new bugs in the
SMB protocol
Microsoft has released
a new batch of regular security updates for Windows and other supported software. With fixes for a
whopping 129 vulnerabilities, including 11 rated as critical, the latest Patch
Tuesday is the bulkiest on record.
Importantly, however, none
of the flaws had been disclosed or spotted as being under active exploitation
prior to the release. A little more than half of them fell into the category of
privilege escalation flaws in various Windows components, though none was rated
as critical.
Still, there are a number
of vulnerabilities that merit close attention, including because they are rated
critical and could, in some
scenarios, be abused by bad actors to take control of vulnerable systems remotely
and with no help from victims.
The Windows VBScript
scripting engine, for one, contained a trio of critical remote-code execution
(RCE) flaws – CVE-2020-1213, CVE-2020-1216 and CVE-2020-1260, each of which was given the “exploitation more
likely” rating on Microsoft’s
Exploitability Index.
Successful abuse of any of
these vulnerabilities could give the attacker the same user rights as those of
the current user, including potentially admin rights. “An attacker could then
install programs; view, change, or delete data; or create new accounts with
full user rights,” said Microsoft.
One RCE vulnerability, CVE-2020-1248, was fixed in the Windows Graphics Device
Interface (GDI). Caused by how GDI handles objects in memory, the vulnerability
could enable an attacker to seize control of a vulnerable system. One attack
scenario could involve enticing the target to open a malicious attachment.
A bunch of holes in
SharePoint were also plugged with the latest update. This ncludes CVE-2020-1181, a critical-rated RCE flaw that has to do with
Microsoft SharePoint Server failing to properly identify and filter unsafe
ASP.Net web controls. “An authenticated attacker who successfully exploited the
vulnerability could use a specially crafted page to perform actions in the
security context of the SharePoint application pool process,” said Microsoft.
SMB bleeding
The Server Message Block
(SMB) protocol received patches for three important-ranked flaws that were all
given the “exploitation more likely” rating.
Per this
summary by the SANS Technology Institute, this month’s highest CVSS score overall – 8.6 out of 10 – was given to CVE-2020-1206, an information disclosure vulnerability in SMBv3
that has to do with how the protocol handles certain requests. “An attacker who
successfully exploited the vulnerability could obtain information to further
compromise the user’s system,” said Microsoft.
Dubbed SMBleed, this new
vulnerability in the SMB decompression functionality is present in Windows 10
versions 1903, 1909 and 2004. Details about the vulnerability were published
by researchers at ZecOps, who
discovered it while looking at SMBGhost, another – and more serious – security
hole in the protocol that was patched via an out-of-band update three months
ago.
SMBleed could enable
attackers to leak kernel memory remotely; combined with SMBGhost, it allows to
achieve pre-auth Remote Code Execution (RCE), said the researchers.
The wormable SMBGhost bug,
meanwhile, allows attackers to spread malware from machine to machine with no
user interaction. Citing open source reports, the Unites States’ Cybersecurity
& Infrastructure Security Agency (CISA) warned last week that threat actors were already
targeting SMBGhost, indexed as CVE-2020-0796, with publicly available proof-of-concept (PoC)
code.
Also patched this month was
an RCE vulnerability affecting SMBv1 and indexed as CVE-2020-1301. It may bring some echoes of a security loophole
hole in SMBv1 that was exploited by EternalBlue and facilitated
the WannaCryptor aka WannaCry outbreak in 2017. The third newly-fixed SMB flaw is CVE-2020-1284, a denial-of-service vulnerability in SMBv3 that
attackers could exploit in order to crash vulnerable systems.
You would be well advised
to apply all available updates as soon as practicable. Should you experience
delays in receiving the patches, you can download the updates from Microsoft
Update Catalog.