Patch Tuesday Patch Tuesday used to be Microsoft's day to release patches. Now Adobe, Intel, and SAP are routinely joining the fun – with special guest star Red Hat this month.
Redmond on pace for record patch volumes
If you've felt overwhelmed by the sheer number of security patches Microsoft has emitted this year, you are not alone. Patch watchers at the Zero Day Initiative said that, including the 120 product security bulletins posted this August, Microsoft is just 11 patches away from surpassing its 2019 full-year total with four months still to go in 2020.
Among the bumper crop this month is an under-attack code execution vulnerability in Internet Explorer (CVE-2020-1380). Microsoft said, in addition to being embedded into a web page, exploit code could also be baked into an ActiveX extension that would be launched via an Office doc.
Also being targeted in the wild is CVE-2020-1464, a spoofing flaw traced back to Windows file validation. In this case, the attackers are tricking users into running unsigned (or improperly signed) files already on their machines.
"Microsoft does not list where this is public or how many people are affected by the attacks," noted ZDI's Dustin Childs. "Regardless, this bug affects all supported versions of Windows, so test and deploy this one quickly."
In all 13 critical flaws were also fixed, including nasty ones in NetLogon (CVE-2020-1472, Outlook (CVE-2020-1483, as well as a Windows Media codec RCE that can be exploited via webpage (CVE-2020-1339).
The Netlogon bug, technically an elevation of privilege error, is particularly nasty for businesses as it would allow an attacker to run applications on a network by exploiting a domain controller.
"What’s worse is that there is not a full fix available," said Childs. "This patch enables the DCs to protect devices, but a second patch currently slated for Q1 2021 enforces secure Remote Procedure Call (RPC) with Netlogon to fully address this bug."
As per usual, a healthy number of critical flaws were found in Media Foundation (CVE-2020-1525, CVE-2020-1379, CVE-2020-1477, CVE-2020-1492, CVE-2020-1554) that can be exploited via either webpage or document files.
In addition to CVE-2020-1483, Office received fixes for five code execution flaws in Excel, (CVE-2020-1494, CVE-2020-1495, CVE-2020-1496, CVE-2020-1498, CVE-2020-1504) and one information disclosure bug (CVE-2020-1497). In SharePoint there was a cross-site-scripting flaws (CVE-2020-1573, spoofing vulnerabilities (CVE-2020-1499, CVE-2020-1500), and an information disclosure bug (CVE-2020-1505). Word is the subject of three information disclosure holes (CVE-2020-1502, CVE-2020-1503, CVE-2020-1583).
And here's something you don't see everyday- a data-leaking speculative-execution hole in Windows Arm (CVE-2020-1459). An attacker would already need to be running code on the target machine in order to exploit this, but it's still an interesting one to look at.
Intel issues critical server alerts
Headlining Intel's rollout is an alert for critical flaws in the firmware of Intel's server boards, server systems, and compute modules.
The most serious is CVE-2020-8708, an escalation-of-privilege bug due to improper authentication controls. Intel says this one can be exploited by an attacker with network access: specifically, unauthenticated miscreants with a network foothold can use it to commandeer machines.
The flaw earned a "critical" CVSS base score of 9.6 out of 10. Another network-exploitable elevation-of-privilege bug, CVE-2020-8707, also received an alert from Chipzilla, albeit at a slightly lower score of 8.3: "Buffer overflow in daemon for some Intel Server Boards, Server Systems, and Compute Modules before version 1.59 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access."
Admins will also want to take a look at CVE-2020-8730 and CVE-2020-8731, CVE-2020-8719, CVE-2020-8721, CVE-2020-8710, CVE-2020-8711, CVE-2020-8712, and CVE-2020-8718. These elevation of privilege bugs are a bit less serious, as they require local access. Still elevation-of-privilege' and server are generally not words you want to see in close proximity.
If that wasn't enough, there are patches for elevation-of-privilege holes in the BIOS of Intel server boards. A separate advisory warns of two elevation-of-privilege bugs in the M10JNP2SB server board.
While we're discussing bugs in the data center, there's also an elevation-of-privilege vuln in Chipzilla's SSD Intel Data Center Tool. Oh, and these elevation of privilege bugs in the RSTe RAID Driver.
Chipzilla also addressed elevation-of-privilege flaws in its graphics drivers for Windows and a handful of denial of service, elevation of privilege, and information disclosure flaws in Bluetooth in Windows, Linux and ChromeOS.
Two dozen-plus ways to pwn Reader and Acrobat
Nearly all of Adobe's fixes this month were for bugs in Acrobat and Reader, 26 of them in total. Of these, nine allow for code execution, there are eleven information disclosure faults, two security bypasses, two denial of service flaws, one privilege escalation error, and one memory leak issue.
Those using Lightroom Classic will also want to get the update for CVE-2020-9724, a privilege escalation bug caused by insecure library loading.
Critical Red Hat fixes
It's not technically a "Patch Tuesday" dump as Red Hat emits security advisories whenever necessary, though while admins are patching, they might want to check out all of the recent six advisories, including the entries for CVE-2020-10731 (a security bypass in OpenStack) and this massive update for Chromium.
15 new notes from SAP
The big news from SAP is actually an update to last month's patch bundle. Added to the release was CVE-2020-6286, a fix for a cross-site-scripting flaw in Netweaver AS Java.
Another one of the more serious bugs patched was a cross-site-scripting flaw in Netweaver (CVE-2020-6284), and a missing authentication check in Business Objects BI.
So there you have it – who needs sleep anyway? Time to get patching: check for and fetch updates via the usual mechanisms, test if necessary, deploy when able. ®