Microsoft has begun distributing its monthly security patch through its Patch Tuesday program. The developers included fixes for 120 vulnerabilities in 13 Microsoft products, including Windows, Edge, SQL Server, and others. Among other things, installing the patch fixes 17 critical vulnerabilities, as well as two zero-day vulnerabilities, one of which was exploited by cybercriminals in practice.
As for the zero-day vulnerabilities, one of them relates to the Windows software platform and has the identifier CVE-2020-1464. Exploitation of this vulnerability has been reported to allow attackers to forge digital signatures on files in order to “bypass security features used to verify the authenticity of signed files.”
Microsoft does not disclose technical details about this vulnerability and about cases of its real use by hackers. This is a traditional practice of the company’s developers, due to Microsoft’s reluctance to direct hackers to places where other problems may be identified.
The second zero-day vulnerability is in the Internet Explorer scripting engine and has the identifier CVE-2020-1380. This error allows remote code execution on the target device. The vulnerability, as well as cases of its actual use in practice, were discovered by specialists from Kaspersky Lab, who provided Microsoft with a corresponding report on the problem.
Although the vulnerability was identified in the IE scripting engine, it affects several other products of the company, including Microsoft Office. This is because Office uses the IE scripting engine to embed and render web pages in Office documents. To exploit this vulnerability, attackers must force the victim to go to a malicious site or open a specially modified Office document.
Unfortunately, details of other vulnerabilities have not yet been released. System administrators who maintain computers in organizations and institutions are advised to conduct compatibility testing before mass patching.
If you notice an error, select it with the mouse and press CTRL + ENTER.