Microsoft on Tuesday patched 120 vulnerabilities, two that are notable because they’re under active attack and a third because it fixes a previous patch for a security flaw that allowed attackers to gain a backdoor that persisted even after a machine was updated.
Zero-day vulnerabilities get their name because an affected developer has zero days to release a patch before the security flaw is under attack. Zero-day exploits can be among the most effective because they usually go undetected by antivirus, intrusion prevention systems, and other security protections. These types of attacks usually indicate a threat actor of above-average means because of the work and skill required to identify the unknown vulnerability and develop a reliable exploit. Adding to the difficulty: the exploits must bypass defenses developers have spent considerable resources implementing.
A hacker’s dream: Bypassing code-signing checks
The first zero-day is present in all supported versions of Windows, including Windows 10 and Server 2019, which security professionals consider two of the world’s most secure operating systems. CVE-2020-1464 is what Microsoft is calling a Windows Authenticode Signature Spoofing Vulnerability. Hackers who exploit it can sneak their malware onto targeted systems by bypassing a malware defense that uses digital signatures to certify that software is trustworthy.
Authenticode is Microsoft’s in-house code-signing technology for ensuring that an app or driver comes from a known and trusted source and hasn’t been tampered with by anyone else. Because they modify the OS kernel, drivers can be installed on Windows 10 and Server 2019 only when they bear one of these cryptographic signatures. On earlier Windows versions, digital signatures still play an important role in helping AV and other protections to detect malicious wares.
The typical route for attackers to bypass this protection is to sign their malware with a valid certificate stolen from a legitimate provider. The investigation into Stuxnet, the worm that’s widely believed to have targeted Iran’s nuclear program a decade ago, was one of the first times researchers had discovered the tactic being used.
Since then, however, researchers have found the practice dates back to at least 2003 and is much more widespread than previously thought. Stolen certificates continue to be a regular occurrence with one of the more recent incidents using a certificate stolen in 2018 from Nfinity Games to sign malware that infected several Massively Multiplayer Online game makers earlier this year.
CVE-2020-1464 made it possible for hackers to achieve the same bypass without the hassle of stealing a valid certificate or worrying it might be revoked. The host of Windows versions affected suggests that the vulnerability has existed for years. Microsoft provided no details about the cause of the vulnerability, how it’s exploited, by whom, or who the targets are.
Microsoft typically credits the researchers who reported flaws it fixes, but Microsoft’s acknowledgment page for this month’s Update Tuesday makes no mention at all of CVE-2020-1464. A Microsoft representative said the discovery was made internally through research done at Microsoft.
IE: As old as it is insecure
The other zero-day under attack can install malware of an attacker’s choice when targets view malicious content with Internet explorer, an ancient browser with an outdated code base that’s vulnerable to all kinds of exploits.
One way attackers can exploit the flaw is by planting booby-trapped code on a website the target visits. Another method is to embed a malicious ActiveX control in an application or Microsoft Office document that uses the IE rendering engine. Despite being harmful, Windows will show that the ActiveX control is “safe for initialization.”
There’s no doubt that the in-the-wild exploits are alarming to the people or organizations under attack. But all in all, CVE-2020-1380 is less concerning to the Internet as a whole because of the small base of users threatened. With the rise of advanced protections in Chrome, Firefox, and Edge, IE has gone from a browser with near-monopoly usage to one with less than 6% marketshare. Anyone still using it should give it up for something with better defenses.
A “leet” bug with an elusive fix
The third fix released on Tuesday is CVE-2020-1337. Its number, 1337, which hackers often use to spell “leet,” as in “elite,” is one noteworthy trait. The more important distinction is that it’s a patch for CVE-2020-1048, an update that Microsoft released in May.
The May patch was supposed to fix a privilege escalation vulnerability in the Windows Print Spooler, a service that manages the printing process, including locating printer drivers and loading them and scheduling print jobs.
In short, the flaw made it possible for an attacker with the ability to execute low-privileged code to establish a backdoor on vulnerable computers. The attacker could return any time after that to escalate access to all-powerful System rights. The vulnerability was the result of the print spooler allowing an attacker to write arbitrary data to any file on a computer with system privileges. That made it possible to drop a malicious DLL and get it executed by a process running with system privileges.
A detailed technical description of this flaw is provided in this post from researchers Yarden Shafir & Alex Ionescu. They note that the print spooler has received little attention from researchers despite being some of the oldest code still running in Windows.
Less than two weeks after Microsoft issued the patch, a researcher with the handle math1as, submitted a report to the bug bounty service Zero Day Initiative that showed the update failed to fix the vulnerability. The discovery required Microsoft to develop a new patch. The result is the one that was released on Tuesday. ZDI has a full breakdown of the failed patch here.
In all, this month’s Update Tuesday patched almost three-dozen vulnerabilities rated critical and many more with lower ratings. Within a day or so of release, Windows automatically downloads patches and installs them at times when the computer isn’t in use.
For most people, this automatic update system is fine, but if you’re like me and want to install them right away, that’s easy, too. On Windows 10, go to Start > Settings > Update & Security > Windows Update, and click Check for Updates. On Windows 7, go to Start > Control Panel > System and Security > Windows Update and click Check for Updates. A reboot will be required.