David Hewson
Cyber Security Assessor
Welcome back to another instalment of the Softcat Post-Patch Tuesday roundup. This one is jam packed with information and more patches than ever, so lets get started…
Microsoft
Microsoft has been busy building patchesthis month with 120 vulnerabilities addressed meaning they’ll be taking up a big ol’ chunk of this month’s blog, as well your time. Remember to factor this into your patching cycle, as this release could take a long time to install on some machines and could require several reboots to complete.
We’ll start with the vulnerabilities that we’re seeing already exploited in the wild; Internet Explorer (CVE-2020-1380) is one of the more concerning vulnerabilities, as a scripting engine memory corruption issue means that an attacker could gain arbitrary code execution just by simply browsing with IE to an attacker’s malicious web page. While it’s true that many end-users have moved away from Internet Explorer in favour of Edge, Chrome or other 3rd party browsers, the underlying components of IE are embedded in many other features across the OS, including some elements of Office. This allows a booby-trapped document containing Active-X Controls to be another attack vector.
More shocking in its apparent simplicity is CVE-2020-1464, a “spoofing” vulnerability which manages to sneak file signatures past Windows’ validation processes. This completely bypasses the built-in security features and allows the attacker to run malicious code. While this vulnerability is scored fairly low with a base CVSS of 5.3, this too is being actively exploited and needs patching promptly.
Finally, we’ll touch on CVE-2020-1472, which comes in two parts. Firstly, this month’s release fixes a critical bug in Netlogon, specifically Netlogon Remote Procedure Call protocol (MS-NPRC). This can be exploited by an unauthenticated attacker connecting to a Domain Controller over MS-NRPC and could allow them to gain elevated privileges to carry out further attacks. While this requires them to have access to the Domain Controller, the CVSS score indicates how trivial it is to carry out. Let’s break it down quickly:
Microsoft’s assessment: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C = 10.0
AV:N - Attack Vector: Network
AC:L - Attack Complexity: Low
PR:N – Privileges Required: None
UI:N – User Interaction: None
S:C - Scope: Changed (meaning exploiting the vulnerability can affect assets other than the target Domain Controller)
C:H – (effect on) Confidentiality: High
I:H - (effect on) Integrity: High
A:H - (effect on) Availability: High
E:P – Exploit Code: Proof of concept
RL:O – Remediation Level: Official fix available
RC:C - Report Confidence: Confirmed (Ref: https://www.first.org/cvss/specification-document) The second part of all this is that the patch introduces the underlying infrastructure for Windows to use Secure RPC, by putting a number of Event IDs into the Domain Controller Event Logs to identify non-secure RPC connections. These should be followed up and remediated because, come February 2021, Microsoft will be enabling by default the Secure RPC system. This will block any non-secure connections and potentially break outdated or unsupported systems.
6 months is a long time unless you’re a Windows SysAdmin, in which case it’ll go by in a flash. Don’t wait around to start that project, especially those of us on larger networks.
Adobe
After a quiet few months Adobe have released updates for both Acrobat & Reader, in the form of a large number of high rated bugs, This one should be a no-brainer by now, with Adobe products managed by a central updating tool or set to auto-update themselves when patches become available. More information on those updates is available here.