In August, 425 advisories were issued for 354 unique versions of 258 products from 70 different vendors.
Two Zero-day vulnerabilities were reported by Microsoft, including one which was known to it for more than one and half year.
Microsoft’s August Patch Tuesday and vulnerabilities in other third party vendors and products are part of this months’ blog.
Two Zero-day advisories were reported in Microsoft Windows and Internet Explorer 9 and 11.
CVE-2020-1464 is dubbed as “Windows Spoofing” vulnerability. Microsoft Windows uses code signing certificates to authenticate a software’s integrity and verify its publisher. A flaw in the system keeps a signature valid even after appending any content to the end of a Windows installer (.msi). It is dangerous in particular with .jar files which can be used for malicious purpose. Java loads its required resources in a single request. If the attacker successfully appends a malicious JAR file to a signed MSI installer; Microsoft Windows wouldn’t complain and validates the software. Just double-clicking on the file can result in successful exploitation. [1]
The security researchers informed Microsoft approximately one an half year ago, but it decided not to patch the vulnerability at the time. The fix was shipped in August’s Patch Tuesday.
CVE-2020-1380 was also fixed in August Patch Tuesday. The vulnerability is detected in Internet Explorer 9 and 11. It uses the ‘use after free’ bug in IE’s JavaScript ‘Just-in-time engine. Reportedly, the vulnerability can be exploited by merely visiting a specially crafted website. Refer to SA97055 for more details.
Secunia advisories for different Operating systems are as below:
Microsoft issues security patches for its products on every second Tuesday of the month known as Patch Tuesday. On 11th August – Second Tuesday of August, Microsoft issued advisories for these software:
A complete list of all applicable updates for August’s Patch Tuesday is here
4 Secunia Advisories cover updates for each OS pair.
KB Article |
Applies To |
Windows 10 Version 1809, Windows Server 2019 |
|
Windows 10, version 2004 |
|
Windows 10, version 1607, Windows Server 2016 |
|
Windows Server 2012 (Security-only update) |
|
Windows 8.1, Windows Server 2012 R2 (Monthly Rollup) |
|
Windows 7, Windows Server 2008 R2 (Security-only update) |
|
Windows 8.1, Windows Server 2012 R2 (Security-only update) |
|
Windows 7, Windows Server 2008 R2 (Monthly Rollup) |
|
Windows Server 2008 Service Pack 2 (Monthly Rollup) |
|
Windows Server 2012 (Monthly Rollup) |
|
Windows Server 2008 Service Pack 2 (Security-only update) |
For easy understanding of Operations teams and management, Secunia Advisories are ranked into 5 simple and easy to understand criticalities. Secunia research follows a meticulous process which involves detailed analysis, peer review, and a QA process – among other things. Our customers can depend on the intelligence without indulging into more minute details of CVSS, impact and attack vector. All of these factors are considered during the ranking process. Further explained at this link.
65% of vulnerabilities can be exploited from remote, which makes the remediation efforts even more critical.
A CVSS score is a metric used to measure the severity of a vulnerability. CVSS v3 specifications and the criteria details are at this link.
CVSS ranges from 0 to 10. 0 being the lowest and 10 being the highest score; the advisories spread is as below:
Like many other things in life, not every vulnerability is created equal. For the ease of our customers, we provide threat score as an add-on which helps in decision making and prioritization. Higher the score; bigger the risk!
Threat score is calculated based on criticality and its linkage to a recent or historical threat of either remote trojan horse, ransomware, used in penetration testing tools, availability of exploit kit, and cyber exploit. Each rule triggers an increase in the threat value. A detailed explanation of Threat Score calculation is available at this link.
Statistics clearly shows us that software vulnerabilities have a clear relationship with malware, cyber exploits and notorious ransomware. Remediating these vulnerabilities reduces exposure to these threats. Security is a multi-prong approach where one size fits all or one tool to rule them all is not enough. Just like with network, we require multiple layers of protection; similarly, we need to remediate known vulnerabilities along with a reputable anti-malware system.
More than 60% of vulnerabilities can be exploited from remote while massively 92% advisories have a vendor patch while only 5% have either no fix or an upgrade option is available.
Most malware relies on vulnerabilities in everyday use software. Patching effort minimizes the risk and exposure. For Microsoft Windows environment, always deploy the Patch Tuesday and any out of band security updates. Don’t ignore third-party software as more than 86% of vulnerabilities are found in software other than Microsoft.
A complete list of vulnerabilities, affected software, criticality, threat score, and relevant patch information is available in the Software Vulnerability Research and Software Vulnerability Manager solutions from Flexera.
References:
[1] https://blog.virustotal.com/2019/01/distribution-of-malicious-jar-appended.html
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.