On Tuesday, Microsoft patched 120 vulnerabilities, two noteworthy because they are under active attack, and Tuesday because it fixes a previous patch for a security vulnerability that allowed an attacker to gain access. The following persists even after the machine is updated.
Zero-day vulnerabilities are named because an affected developer has no day to release a patch before the security vulnerability is hit. Zero-day exploits can be one of the most effective because they are often undetected by anti-virus software, intrusion prevention systems, and other security protections. These types of attacks typically indicate an above-average threat agent because of the work and skills required to identify an unknown vulnerability and develop a credible exploit. Adding difficulty: the exploit must overcome the defenses that the developers have devoted considerable resources to implement.
A hacker dream: Pass code signing test
The first zero-day available in all supported versions of Windows, including Windows 10 and Server 2019, is considered by security experts as two of the safest operating systems in the world. CVE-2020-1464 is what Microsoft calls Windows Authentication Signature Spoofing Vulnerability. Hackers that exploit it can sneak their malware into targeted systems by bypassing a malware defense system that uses digital signatures to certify that the software is trustworthy. .
Authenticode is Microsoft’s internal code signing technology to ensure that an app or driver comes from a known and trusted source and hasn’t been tampered with by anyone else. Because they modify the operating system kernel, the driver can only be installed on Windows 10 and Server 2019 when they have one of these cryptographic signatures. On earlier versions of Windows, digital signatures still played an important role in helping AV and other protections detect malicious items.
A typical way for attackers to bypass this protection is to sign their malware with a valid certificate stolen from a legitimate vendor. The investigation of Stuxnet, the worm believed to have targeted Iran’s nuclear program a decade ago, was one of the first times that researchers discovered a tactic in use.
However, since then, researchers have found that the practice dates back to at least 2003 and is much more common than previously thought. The stolen certificate continues to happen more often with one of the more recent incidents than using the stolen certificate in 2018 from Nfinity Games to sign the malware that has infected some manufacturers multiplayer online game earlier this year.
CVE-2020-1464 makes it possible for a hacker to achieve the same pass without the trouble of stealing a valid certificate or worrying that it might be revoked. Servers of affected versions of Windows show that security flaws have existed for many years. Microsoft did not provide details on the cause of the vulnerability, how it was exploited, by whom, or by whom.
Microsoft often credits researchers for reporting bugs it fixes, but Microsoft’s confirmation page for this month’s Third Update does not mention CVE-2020-1464. A Microsoft representative said the discovery was made internally through research done at Microsoft.
IE: As old is not safe
No other day of attack can install malware of the attacker’s choice when targets view malicious content using Internet explorer, an archaic browser with an outdated code base susceptible to being hacked by anyone. type of extraction.
One way attackers can exploit the vulnerability is by installing code stuck on the website the target visits. Another method is to embed a malicious ActiveX control in a Microsoft Office application or document using the IE rendering engine. Although harmful, Windows will show that the ActiveX control is “safe to initialize.”
Without a doubt, exploitation in the wild is alarming to those or organizations that are under attack. But overall, CVE-2020-1380 has little to do with the Internet in general because of its small base of endangered users. With the rise of advanced protections in Chrome, Firefox, and Edge, IE has gone from being used almost exclusively to one with a market share of less than 6%. Anyone who still uses it should abandon it for something more defensive.
A “leet” bug with an elusive fix
The third fix to be released on Tuesday is CVE-2020-1337. Its number, 1337, which hackers often use to spell “leet,” as in “elite”, is a remarkable trait. The more important difference is that it is a patch for CVE-2020-1048, an update that Microsoft released in May.
The May patch is expected to fix the privilege escalation vulnerability in Windows Print Spooler, a print process management service that includes locating printer drivers and downloading them and scheduling print jobs.
In short, this vulnerability gives an attacker a low ability to execute privileged code to set up a backdoor on vulnerable computers. An attacker can come back at any later time to upgrade access to Almighty System permissions. This vulnerability results from a print spooler that allows an attacker to write arbitrary data to any file on a computer with system privileges. That makes it possible to remove a malicious DLL and make it run by a process that runs with system privileges.
A detailed technical description of this vulnerability is provided in this post from researchers Yarden Shafir & Alex Ionescu. They note that the print spooler received little attention from researchers despite some of the oldest code still running in Windows.
Less than two weeks after Microsoft released the patch, a researcher with a math1as processor submitted a report to the Zero Day Initiative bug bounty service showing the update could not fix the vulnerability. This discovery prompted Microsoft to develop a new patch. As a result one was released on Tuesday. ZDI has the full patch issue here.
Overall, this month’s Third Update patched nearly three dozen vulnerabilities rated critical and many others with lower ratings. Within a day of its release, Windows will automatically download patches and install them at times the computer is not in use.
For most people, this automatic updates system is fine, but if you’re like me and want to install them right away, that’s easy too. On Windows 10, go to Start> Settings> Update & Security> Windows Update and click on Check for updates. On Windows 7, go to Start> Control Panel> System and Security> Windows Update and click on Check for Updates. Restart will be required.