Microsoft August 2020 Patch Tuesday fixes 120 vulnerabilities, two zero-days

Microsoft says attackers have used a Windows zero-day to spoof file signatures and another RCE in the Internet Explorer scripting engine to execute code on users' devices.

Windows 10X: The (unofficial) news about the upcoming rollout

Windows 10 security: 'So good, it can block zero-days without being patched'

Systems running the Windows 10 Anniversary Update were shielded from two exploits even before Microsoft had issued patches for them, its researchers have found.

Read More

Microsoft has started rolling out today the August 2020 Patch Tuesday security updates.

This month, the company has patched 120 vulnerabilities across 13 different products, from Edge to Windows, and from SQL Server to the .NET Framework.

Among the 120 vulnerabilities fixed this month, 17 bugs have received the highest severity rating of "Critical," and there are also two zero-days — vulnerabilities that have been exploited by hackers before Microsoft was able to provide today's patches.

Zero-day #1

The first of the two zero-days patched this month is a bug in the Windows operating system. Tracked as CVE-2020-1464, Microsoft says that an attacker can exploit this bug and have Windows incorrectly validate file signatures.

The OS maker says attackers can (ab)use this bug to "bypass security features and load improperly signed files."

As with all Microsoft security advisories, technical details about the bug and the real-world attacks have not been made public. Microsoft security team uses this approach to prevent other hackers from inferring how and where the vulnerability wors/resides, and prolong the time it takes for other exploits to appear in the wild.

Zero-day #2

As for the second zero-day, this one is tracked as CVE-2020-1380, and resides in the scripting engine that ships with Internet Explorer.

Microsoft said it received a report from antivirus maker Kaspersky that hackers had found a remote code execution (RCE) bug in the IE scripting engine and where abusing it in real-world attacks.

While the bug resides in the IE scripting engine, other native Microsoft apps are also impacted, such as the company's Office suite.

This is because Office apps use the IE scripting engine to embed and render web pages inside Office documents, a feature where the scripting engine plays a major role.

This means the bug can be exploited by luring users on malicious sites, or by sending them booby-trapped Office files.

Below is some useful information about today's Microsoft Patch Tuesday, but also the security updates released by other companies this month, which sysadmins might also need to address as well, besides Microsoft's batch.

  • Microsoft's official Security Update Guide portal lists all security updates in a filterable table.
  • ZDNet has published this file listing all this month's security advisories on one single page.
  • Adobe's security updates are detailed here.
  • SAP security updates are available here.
  • VMWare security updates are available here.
  • Citrix has also released some patches today.
  • Oracle's quarterly patches (for Q2 2020, July edition) are available here.
  • Chrome 84 security updates are detailed here.
  • The Android Security Bulletin for August 2020 is detailed here. Patches started rolling out to users' phones last week.
TagCVE IDCVE Title
.NET Framework CVE-2020-1476 ASP.NET and .NET Elevation of Privilege Vulnerability
.NET Framework CVE-2020-1046 .NET Framework Remote Code Execution Vulnerability
ASP.NET CVE-2020-1597 ASP.NET Core Denial of Service Vulnerability
Internet Explorer CVE-2020-1567 MSHTML Engine Remote Code Execution Vulnerability
Microsoft Dynamics CVE-2020-1591 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
Microsoft Edge CVE-2020-1569 Microsoft Edge Memory Corruption Vulnerability
Microsoft Edge CVE-2020-1568 Microsoft Edge PDF Remote Code Execution Vulnerability
Microsoft Graphics Component CVE-2020-1562 Microsoft Graphics Components Remote Code Execution Vulnerability
Microsoft Graphics Component CVE-2020-1577 DirectWrite Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2020-1561 Microsoft Graphics Components Remote Code Execution Vulnerability
Microsoft Graphics Component CVE-2020-1510 Win32k Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2020-1529 Windows GDI Elevation of Privilege Vulnerability
Microsoft JET Database Engine CVE-2020-1473 Jet Database Engine Remote Code Execution Vulnerability
Microsoft JET Database Engine CVE-2020-1558 Jet Database Engine Remote Code Execution Vulnerability
Microsoft JET Database Engine CVE-2020-1557 Jet Database Engine Remote Code Execution Vulnerability
Microsoft JET Database Engine CVE-2020-1564 Jet Database Engine Remote Code Execution Vulnerability
Microsoft Office CVE-2020-1483 Microsoft Outlook Memory Corruption Vulnerability
Microsoft Office CVE-2020-1504 Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office CVE-2020-1503 Microsoft Word Information Disclosure Vulnerability
Microsoft Office CVE-2020-1495 Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office CVE-2020-1494 Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office CVE-2020-1493 Microsoft Outlook Information Disclosure Vulnerability
Microsoft Office CVE-2020-1496 Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office CVE-2020-1502 Microsoft Word Information Disclosure Vulnerability
Microsoft Office CVE-2020-1498 Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office CVE-2020-1497 Microsoft Excel Information Disclosure Vulnerability
Microsoft Office CVE-2020-1581 Microsoft Office Click-to-Run Elevation of Privilege Vulnerability
Microsoft Office CVE-2020-1563 Microsoft Office Remote Code Execution Vulnerability
Microsoft Office CVE-2020-1582 Microsoft Access Remote Code Execution Vulnerability
Microsoft Office CVE-2020-1583 Microsoft Word Information Disclosure Vulnerability
Microsoft Office SharePoint CVE-2020-1505 Microsoft SharePoint Information Disclosure Vulnerability
Microsoft Office SharePoint CVE-2020-1573 Microsoft Office SharePoint XSS Vulnerability
Microsoft Office SharePoint CVE-2020-1499 Microsoft SharePoint Spoofing Vulnerability
Microsoft Office SharePoint CVE-2020-1500 Microsoft SharePoint Spoofing Vulnerability
Microsoft Office SharePoint CVE-2020-1580 Microsoft Office SharePoint XSS Vulnerability
Microsoft Office SharePoint CVE-2020-1501 Microsoft SharePoint Spoofing Vulnerability
Microsoft Scripting Engine CVE-2020-1570 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2020-1555 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2020-1380 Scripting Engine Memory Corruption Vulnerability
Microsoft Video Control CVE-2020-1492 Media Foundation Memory Corruption Vulnerability
Microsoft Windows CVE-2020-1485 Windows Image Acquisition Service Information Disclosure Vulnerability
Microsoft Windows CVE-2020-1587 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1551 Windows Backup Engine Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1484 Windows Work Folders Service Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1489 Windows CSC Service Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1584 Windows dnsrslvr.dll Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1486 Windows Kernel Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1488 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1490 Windows Storage Service Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1515 Windows Telephony Server Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1513 Windows CSC Service Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1553 Windows Runtime Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1552 Windows Work Folder Service Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1566 Windows Kernel Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1579 Windows Function Discovery SSDP Provider Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1512 Windows State Repository Service Information Disclosure Vulnerability
Microsoft Windows CVE-2020-1511 Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1480 Windows GDI Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1542 Windows Backup Engine Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1543 Windows Backup Engine Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1540 Windows Backup Engine Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1541 Windows Backup Engine Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1544 Windows Backup Engine Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1547 Windows Backup Engine Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1519 Windows UPnP Device Host Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1545 Windows Backup Engine Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1546 Windows Backup Engine Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1539 Windows Backup Engine Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1528 Windows Radio Manager API Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1530 Windows Remote Access Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1526 Windows Network Connection Broker Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1527 Windows Custom Protocol Engine Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1534 Windows Backup Service Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1537 Windows Remote Access Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1520 Windows Font Driver Host Remote Code Execution Vulnerability
Microsoft Windows CVE-2020-1535 Windows Backup Engine Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1536 Windows Backup Engine Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1470 Windows Work Folders Service Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1509 Local Security Authority Subsystem Service Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1459 Windows ARM Information Disclosure Vulnerability
Microsoft Windows CVE-2020-1538 Windows UPnP Device Host Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1475 Windows Server Resource Management Service Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1464 Windows Spoofing Vulnerability
Microsoft Windows CVE-2020-1467 Windows Hard Link Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1550 Windows CDP User Components Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1517 Windows File Server Resource Management Service Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1518 Windows File Server Resource Management Service Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1516 Windows Work Folders Service Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1549 Windows CDP User Components Elevation of Privilege Vulnerability
Microsoft Windows CVE-2020-1383 Windows RRAS Service Information Disclosure Vulnerability
Microsoft Windows Codecs Library CVE-2020-1574 Microsoft Windows Codecs Library Remote Code Execution Vulnerability
Microsoft Windows Codecs Library CVE-2020-1560 Microsoft Windows Codecs Library Remote Code Execution Vulnerability
Microsoft Windows Codecs Library CVE-2020-1585 Microsoft Windows Codecs Library Remote Code Execution Vulnerability
Netlogon CVE-2020-1472 Netlogon Elevation of Privilege Vulnerability
SQL Server CVE-2020-1455 Microsoft SQL Server Management Studio Denial of Service Vulnerability
Visual Studio CVE-2020-0604 Visual Studio Code Remote Code Execution Vulnerability
Windows AI CVE-2020-1521 Windows Speech Runtime Elevation of Privilege Vulnerability
Windows AI CVE-2020-1522 Windows Speech Runtime Elevation of Privilege Vulnerability
Windows AI CVE-2020-1524 Windows Speech Shell Components Elevation of Privilege Vulnerability
Windows COM CVE-2020-1474 Windows Image Acquisition Service Information Disclosure Vulnerability
Windows Kernel CVE-2020-1578 Windows Kernel Information Disclosure Vulnerability
Windows Kernel CVE-2020-1417 Windows Kernel Elevation of Privilege Vulnerability
Windows Kernel CVE-2020-1479 DirectX Elevation of Privilege Vulnerability
Windows Media CVE-2020-1379 Media Foundation Memory Corruption Vulnerability
Windows Media CVE-2020-1554 Media Foundation Memory Corruption Vulnerability
Windows Media CVE-2020-1339 Windows Media Remote Code Execution Vulnerability
Windows Media CVE-2020-1525 Media Foundation Memory Corruption Vulnerability
Windows Media CVE-2020-1487 Media Foundation Information Disclosure Vulnerability
Windows Media Player CVE-2020-1478 Media Foundation Memory Corruption Vulnerability
Windows Media Player CVE-2020-1477 Media Foundation Memory Corruption Vulnerability
Windows Print Spooler Components CVE-2020-1337 Windows Print Spooler Elevation of Privilege Vulnerability
Windows RDP CVE-2020-1466 Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability
Windows Registry CVE-2020-1377 Windows Registry Elevation of Privilege Vulnerability
Windows Registry CVE-2020-1378 Windows Registry Elevation of Privilege Vulnerability
Windows Shell CVE-2020-1565 Windows Elevation of Privilege Vulnerability
Windows Shell CVE-2020-1531 Windows Accounts Control Elevation of Privilege Vulnerability
Windows Update Stack CVE-2020-1571 Windows Setup Elevation of Privilege Vulnerability
Windows Update Stack CVE-2020-1548 Windows WaasMedic Service Information Disclosure Vulnerability
Windows WalletService CVE-2020-1556 Windows WalletService Elevation of Privilege Vulnerability
Windows WalletService CVE-2020-1533 Windows WalletService Elevation of Privilege Vulnerability