Microsoft on Tuesday had 120 vulnerabilities, two that are apparent because they are under active attack and a third because it fixes a previous part for a security flaw that allowed attackers to gain a backdrop that continued even after a car was updated.
Zero-day vulnerabilities get their name because an affected developer has zero days to release a piece of land before security flaws come under attack. Zero-day uses can be among the most effective because they are usually not detected by antivirus, intrusion prevention systems and other security protections. These types of attacks typically indicate an above-average means threat actor due to the work and skills required to identify the unknown vulnerability and develop a credible exploitation. Adding to the difficulty: exploits should bypass the protections that developers have spent significant resources on implementing them.
A hacker̵7;s dream: Bypassing code signing controls
The first zero day is present in all supported versions of Windows, including Windows 10 and Server 2019, which security professionals consider two of the most secure systems in the world. CVE-2020-1464 is what Microsoft is calling an authentic signature Windows Spoofing Vulnerability. Hackers who exploit it can infiltrate their malware into the target systems by bypassing a malware protection that uses digital signatures to authenticate that trusted software.
Authenticode is Microsoft’s home code signing technology to ensure that an application or driver comes from a known and trusted source and is not affected by anyone else. Because they modify the OS kernel, drivers can only be installed on Windows 10 and Server 2019 when they hold one of these cryptographic signatures. In previous versions of Windows, digital signatures still play an important role in helping AV and other protections detect malicious goods.
The typical way for attackers to bypass this protection is to sign their malware with a valid certificate stolen from a legitimate provider. The Stuxnet investigation, the worm widely believed to have targeted Iran’s nuclear program a decade ago, was one of the first times researchers had discovered the tactics used.
Since then, researchers have discovered that the practice dates back to at least 2003 and is much more widespread than previously thought. Stolen certificates continue to be a regular occurrence with one of the most recent incidents using a stolen certificate in 2018 from Nfinity Games to sign malware that infected several Massively Multiplayer Online game makers earlier this year.
CVE-2020-1464 enabled hackers to achieve the same hassle-free bypass for stealing a valid or troublesome certificate that could be revoked. The host of affected versions of Windows suggests that vulnerability has existed for years. Microsoft did not provide details about the cause of the vulnerability, how it was used, by whom, or who the targets were.
Microsoft usually credits researchers who reported bugs it fixes, but Microsoft’s Thanksgiving page for this month’s Updated Saturday does not mention it at all in CVE-2020-1464. A Microsoft representative said the discovery was made internally through research done at Microsoft.
IE: How old is insecure
The next day zero attack can install a malware of an attacker’s choice when targets view malicious content with Internet Explorer, an ancient browser with an outdated code base that is vulnerable to all kinds of exploits.
One way that attackers can exploit the flaw is by planting a blocked code on a targeted website. Another method is to embed a malicious ActiveX control into a Microsoft Office application or document that uses the IE rendering engine. Although harmful, Windows will indicate that ActiveX control is “safe to initialize”.
There is no doubt that intra-wild exploitation is alarming to the people or organizations attacked. But overall, CVE-2020-1380 is less of a concern for the Internet as a whole because of its small user base. With the rise of advanced protections in Chrome, Firefox, and Edge, IE has gone from a browser with near-monopoly usage to one with less than 6% market share. Anyone who still uses it should give up something with better protection.
A “leet” error with an elusive fix
The third solution released on Tuesday is CVE-2020-1337. His number, 1337, which hackers often use to pronounce “leet,” as in “elite,” is an important feature. The most important difference is that it is a snippet for CVE-2020-1048, an update that Microsoft released in May.
The May part was supposed to fix a privilege escalation vulnerability in Windows Print Spooler, a service that manages the printing process, including finding and loading printer drivers and scheduling print jobs.
In short, the flaw made it possible for an attacker with the ability to execute low-privilege code to set a background on vulnerable computers. The attacker could return at any time thereafter to escalate access to full system rights. The vulnerability was the result of typed typing allowing an attacker to write arbitrary data to any file on a computer with system privileges. This made it possible to drop a malicious DLL and execute it through a process that works with system privileges.
A detailed technical description of this flaw is given in this post by researchers Yarden Shafir & Alex Ionescu. They note that the printed spooler has received little attention from researchers despite being some of the oldest code still running on Windows.
Less than two weeks after Microsoft released the snippet, a researcher with the math handle submitted a report to the Zero Day Initiative error correction service showing that the update failed to fix vulnerability. The discovery prompted Microsoft to develop a new piece. The result is the one that was released on Tuesday. ZDI has a complete breakdown of the failed part here.
Overall, this month’s Tuesday Update brought out almost three dozen critically rated vulnerabilities and many more with lower ratings. Within a day or so of release, Windows automatically downloads patches and installs them when the computer is no longer in use.
For most people, this automatic update system is fine, but if you’re like me and want to install them right away, it’s also easy. In Windows 10, go to Start> Settings> Update and Security> Windows Update and click Check for Updates. In Windows 7, go to Start> Control Panel> System and Security> Windows Update and click Check for Updates. A restart will be required.