The August 2020 Security Update Review

August 11, 2020 | Dustin Childs

August is here and so is the latest batch of security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of security patches for this month.

Adobe Patches for August 2020

The Adobe release for August includes only two patches. The update for Adobe Reader fixes a total of 26 bugs, eight of which came through the ZDI program. Most of these are Out-Of-Bounds (OOB) Reads, but there are also some Use-After-Free (UAF), OOB Write, stack exhaustion, and memory corruption bugs addressed. One interesting bug being fixed here is CVE-2020-9697, which was found by ZDI Vulnerability Analysis Manager Abdul-Aziz Hariri. The reliable info disclosure leak appears to have existed for more than a decade. We’ll tweet out the proof-of-concept demonstration for this one tomorrow. Yes – the demo is short enough to fit in a tweet. Also of note is the Critical-rated CVE-2020-9712. This bug could allow attackers to bypass HTML parsing mitigations within Acrobat Pro DC. Through this, an attacker can trigger the parsing of HTML documents remotely from within Acrobat. The other patch fixes one privilege escalation bug in Adobe Lightroom

None of the bugs patched by Adobe today are listed as publicly known or under active attack at the time of release. In the past two months, Adobe released additional patches later in the month. It will be interesting to see if that trend continues.

Microsoft Patches for August 2020

For August, Microsoft released patches for 120 CVEs in Microsoft Windows, Edge (EdgeHTML-based and Chromium-based), ChakraCore, Internet Explorer (IE), Microsoft Scripting Engine, SQL Server, .NET Framework, ASP.NET Core, Office and Office Services and Web Apps, Windows Codecs Library, and Microsoft Dynamics. That’s now six straight months of 110+ CVEs and brings the yearly total to 862 – 11 more patches than Microsoft shipped in all of 2019. If they maintain this pace, it’s quite possible for them to ship more than 1,300 patches this year. This volume – along with difficult servicing scenarios – puts extra pressure on patch management teams.

Of these 120 patches, 17 are listed as Critical and 103 are listed as Important in severity. Eleven of these bugs came through the ZDI program. One of these bugs is listed as being publicly known and two are listed as being under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the bugs currently being exploited in the wild:

-       CVE-2020-1380 - Scripting Engine Memory Corruption Vulnerability
This bug in IE is currently under active attack. Attackers could run their code on a target system if an affected version of IE views a specially crafted website. It is not known how extensive the attacks are, but considering this bug was reported by Kaspersky, it’s reasonable to assume malware is involved. If you’re still using IE, make this one your top priority.

-       CVE-2020-1464 - Windows Spoofing Vulnerability
This spoofing bug is publicly known and currently being exploited. It allows an attacker to load improperly signed files, bypassing signature verification. Microsoft does not list where this is public or how many people are affected by the attacks. Regardless, this bug affects all supported versions of Windows, so test and deploy this one quickly.

-       CVE-2020-1472 - NetLogon Elevation of Privilege Vulnerability
It’s rare to see a Critical-rated elevation of privilege bug, but this one deserves it. A vulnerability in the Netlogon Remote Protocol (MS-NRPC) could allow attackers to run their applications on a device on the network. An unauthenticated attacker would use MS-NRPC to connect to a Domain Controller (DC) to obtain administrative access. What’s worse is that there is not a full fix available. This patch enables the DCs to protect devices, but a second patch currently slated for Q1 2021 enforces secure Remote Procedure Call (RPC) with Netlogon to fully address this bug. After applying this patch, you’ll still need to make changes to your DC. Microsoft published guidelines to help administrators choose the correct settings. 

-       CVE-2020-1585 - Microsoft Windows Codecs Library Remote Code Execution Vulnerability
This is one of two codec bugs reported by ZDI’s Abdul-Aziz Hariri. The bug allows for code execution if an attacker can convince a user to view a specially crafted image file. The “AV1 Video Extension” codec is impacted here, and it is only available through the Windows Store, which means the patch is only available through the Windows store. The codec is not a default component, so if you have offline systems, they are unlikely to have the codec installed. 

Here’s the full list of CVEs released by Microsoft for August 2020. 

CVE Title Severity Public Exploited XI - Latest XI - Older Type
CVE-2020-1464 Windows Spoofing Vulnerability Important Yes Yes 0 0 Spoof
CVE-2020-1380 Scripting Engine Memory Corruption Vulnerability Critical No Yes 0 N/A RCE
CVE-2020-1046 .NET Framework Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-1525 Media Foundation Memory Corruption Vulnerability Critical No No 2 2 RCE
CVE-2020-1379 Media Foundation Memory Corruption Vulnerability Critical No No 2 2 RCE
CVE-2020-1477 Media Foundation Memory Corruption Vulnerability Critical No No 2 2 RCE
CVE-2020-1492 Media Foundation Memory Corruption Vulnerability Critical No No 2 2 RCE
CVE-2020-1554 Media Foundation Memory Corruption Vulnerability Critical No No 2 2 RCE
CVE-2020-1568 Microsoft Edge PDF Remote Code Execution Vulnerability Critical No No 2 N/A RCE
CVE-2020-1483 Microsoft Outlook Memory Corruption Vulnerability Critical No No 2 2 RCE
CVE-2020-1560 Microsoft Windows Codecs Library Remote Code Execution Vulnerability Critical No No 2 N/A RCE
CVE-2020-1574 Microsoft Windows Codecs Library Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-1585 Microsoft Windows Codecs Library Remote Code Execution Vulnerability Critical No No N/A 2 RCE
CVE-2020-1567 MSHTML Engine Remote Code Execution Vulnerability Critical No No 1 1 RCE
CVE-2020-1472 NetLogon Elevation of Privilege Vulnerability Critical No No 2 2 EoP
CVE-2020-1555 Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2020-1570 Scripting Engine Memory Corruption Vulnerability Critical No No 1 1 RCE
CVE-2020-1339 Windows Media Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-1476 ASP.NET and .NET Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1597 ASP.NET Core Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2020-1511 Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1577 DirectWrite Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-1479 DirectX Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1473 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-1557 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-1558 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-1564 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-1509 Local Security Authority Subsystem Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1487 Media Foundation Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-1478 Media Foundation Memory Corruption Vulnerability Important No No 2 2 RCE
CVE-2020-1582 Microsoft Access Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-1591 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability Important No No 2 N/A XSS
CVE-2020-1569 Microsoft Edge Memory Corruption Vulnerability Important No No 2 N/A RCE
CVE-2020-1497 Microsoft Excel Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-1494 Microsoft Excel Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-1495 Microsoft Excel Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-1496 Microsoft Excel Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-1498 Microsoft Excel Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-1504 Microsoft Excel Remote Code Execution Vulnerability Important No No N/A 2 RCE
CVE-2020-1561 Microsoft Graphics Components Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-1562 Microsoft Graphics Components Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-1581 Microsoft Office Click-to-Run Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1563 Microsoft Office Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-1573 Microsoft Office SharePoint XSS Vulnerability Important No No 2 2 XSS
CVE-2020-1580 Microsoft Office SharePoint XSS Vulnerability Important No No 2 2 XSS
CVE-2020-1493 Microsoft Outlook Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-1505 Microsoft SharePoint Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-1499 Microsoft SharePoint Spoofing Vulnerability Important No No 2 2 Spoof
CVE-2020-1500 Microsoft SharePoint Spoofing Vulnerability Important No No 2 2 Spoof
CVE-2020-1501 Microsoft SharePoint Spoofing Vulnerability Important No No 2 2 Spoof
CVE-2020-1455 Microsoft SQL Server Management Studio Denial of Service Vulnerability Important No No 2 N/A DoS
CVE-2020-1502 Microsoft Word Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-1503 Microsoft Word Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-1583 Microsoft Word Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-0604 Visual Studio Code Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-1510 Win32k Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-1571 Windows 10 Update Assistant Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1531 Windows Accounts Control Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1587 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2020-1488 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1459 Windows ARM Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-1535 Windows Backup Engine Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1536 Windows Backup Engine Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1539 Windows Backup Engine Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1540 Windows Backup Engine Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1541 Windows Backup Engine Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1542 Windows Backup Engine Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1543 Windows Backup Engine Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1544 Windows Backup Engine Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1545 Windows Backup Engine Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1546 Windows Backup Engine Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1547 Windows Backup Engine Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1551 Windows Backup Engine Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1534 Windows Backup Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1549 Windows CDP User Components Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1550 Windows CDP User Components Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1489 Windows CSC Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1513 Windows CSC Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1527 Windows Custom Protocol Engine Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1584 Windows dnsrslvr.dll Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2020-1565 Windows Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1517 Windows File Server Resource Management Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1518 Windows File Server Resource Management Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1520 Windows Font Driver Host Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-1579 Windows Function Discovery SSDP Provider Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1529 Windows GDI Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2020-1480 Windows GDI Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2020-1467 Windows Hard Link Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1474 Windows Image Acquisition Service Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-1485 Windows Image Acquisition Service Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-1417 Windows Kernel Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1486 Windows Kernel Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1566 Windows Kernel Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2020-1578 Windows Kernel Information Disclosure Vulnerability Important No No 1 1 Info
CVE-2020-1526 Windows Network Connection Broker Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1337 Windows Print Spooler Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1528 Windows Radio Manager API Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1377 Windows Registry Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1378 Windows Registry Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1530 Windows Remote Access Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1537 Windows Remote Access Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1466 Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability Important No No N/A 2 DoS
CVE-2020-1383 Windows RRAS Service Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-1553 Windows Runtime Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1475 Windows Server Resource Management Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1521 Windows Speech Runtime Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1522 Windows Speech Runtime Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1524 Windows Speech Shell Components Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1512 Windows State Repository Service Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-1490 Windows Storage Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1515 Windows Telephony Server Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1519 Windows UPnP Device Host Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1538 Windows UPnP Device Host Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1548 Windows WaasMedic Service Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-1533 Windows WalletService Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1556 Windows WalletService Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1552 Windows Work Folder Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1470 Windows Work Folders Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1516 Windows Work Folders Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1484 Windows Work Folders Service Elevation of Privilege Vulnerability Important No No 2 2 EoP

Of the remaining Critical-rated patches, there’s another Outlook bug that could allow code execution through the Preview Pane. That’s makes two months in a row for this type of vulnerability. There’s a patch for an RCE in .NET Framework, and some Windows versions require two patches to be fully protected. There are five patches for the Windows Media Foundation that could allow RCE. The Edge (EdgeHTML-based) PDF reader gets a patch for an RCE in viewing PDFs. In addition to the one mentioned above, there are a couple of other codecs being fixed this month. Again, you’ll need to access the Windows Store for those patches. The remaining Critical-rated patches involve browse-and-own scenarios for various components.

As usual, patches for EoP bugs dominate this release with 61 in total. A total of 13 of these bugs are found in the Windows Backup Engine. Other Windows components getting patched include the Windows Registry, the kernel, WalletService, GDI, and the Print Spooler service. The patch for Print Spooler was reported by several people as this resulted from an incomplete fix in May. ZDI researcher Simon Zuckerbraun will have more details about both patches shortly. It’s definitely worth a read.

Continuing with the Important-rated patches, 17 could result in code execution. These bugs are mostly found in the Office suite of products, but also include Visual Studio, Edge, and the Jet Database Engine. Interestingly, there is an Important-rated RCE vulnerability listed in the Font Driver. These are typically listed as Critical, so it’s not clear why this one does not rate as highly.

There are three Denial-of-Service (DoS) bugs patched in this release. The most severe impacts the Windows Remote Desktop Gateway. Attackers could force it to stop responding by connecting to the systems and sending it specially crafted requests.

Bugs allowing information disclosure receive 16 patches this month. Of note is another bug in Outlook that can be reached via the Preview Pane. In this case, code execution is not possible, thus the Important versus Critical rating. All of the info disclosure bugs this month leak memory but no PII or other sensitive data. The release is rounded out by patches for three spoofing bugs in SharePoint. There are also patches for two cross-site scripting (XSS) bugs in SharePoint and one in Dynamics.

The lone advisory for this month is the revision update to the Windows Servicing Stack, which adds updates for all supported versions of Windows.

Looking Ahead

The next Patch Tuesday falls on September 8, and we’ll return with details and patch analysis then. Until then, stay safe, enjoy your patching, and may all your reboots be smooth and clean!