Patch Tuesday: Microsoft: Two Actively Exploited (incl. IE) and File Validation
On Tuesday, August 11, Microsoft released updates to address at least 120 vulnerabilities in Windows and other products and services. Two of the flaws are being actively exploited: a memory corruption vulnerability in the scripting engine in Internet Explorer, and a spoofing flaw in Windows file validation that could be exploited to bypass security features.
I really like The Registers excellent headline, but I will add one thing: A lot of VPN approaches only support connectivity back to corporate data centers when the user has initiated the VPN and it hasnt timed out. Other VPN approaches that are always on dont handle intermittent or low speed home internet connections very well. Patch success rates for those sporadically-connected devices are always lower than LAN-connected or always on VPN approaches on solid remote connectionsworth extra attention on this patch-filled vacation/holiday month.
As IE is being actively exploited, it may also be time to change the default browser. Consider limiting IE through the perimeter to reduce the likelihood of interaction with malicious sites. While you're busy queueing up application of this months suite of patches, take a check of your backup system to make sure youre covered in case something goes wrong.
This is the third "Patch Tuesday" in a row when the number of vulnerabilities addressed exceeded one hundred. One does not know whether to credit Microsoft for its diligence or condemn it for the quality of its code. Suffice it to say that the next Patch Tuesday will address far more than zero vulnerabilities and most of them will be older than a month. While patching is mandatory, one cannot patch one's way to security. Use "least privilege" access control at all layers, internal firewalls, strong authentication, structured networks, and end-to-end application layer encryption to reduce your attack surface and hide potentially vulnerable processes. While I still do not like the expression "Zero Trust," it is an old idea whose time has come.
William Hugh Murray
Read more in
KrebsOnSecurity: Microsoft Patch Tuesday, August 2020 Edition
Register: We spent way too long on this Microsoft, Intel, Adobe, SAP,
Red Hat Patch Tuesday article. Just click on it, pretend to read it,
Duo: Microsoft Patches Zero Days Used in Targeted Attacks
Threatpost: Two 0-Days Under Active Attack, Among 120 Bugs Patched by Microsoft
Ars Technica: 0-days, a failed patch, and a backdoor threat. Update Tuesday highlights
Dark Reading: Microsoft Patches 120 Vulnerabilities, Two Zero-Days
SC Magazine: Microsoft patches 2 actively exploited zero-day flaws
ZDNet: Microsoft August 2020 Patch Tuesday fixes 120 vulnerabilities, two zero-days
Bleeping Computer: Microsoft August 2020 Patch Tuesday fixes 2 zero-days, 120 flaws
MSRC: Security Update Summary