Microsoft patches 120 security bugs in August 2020 Patch Tuesday update

Seventeen bugs are rated as "critical" meaning they can be easily exploited by hackers to gain full control of a vulnerable machine

Microsoft's August 2020 Patch Tuesday update addresses a total of 120 security vulnerabilities across a suite of its products and platforms.

Of the security holes plugged this month, two are newly discovered flaws threat actors are currently exploiting in the wild.

17 bugs are rated as "critical," meaning hackers can use them to gain full remote control of a vulnerable system with little or no help from users.

Overall, the August security update includes patches for 13 different products, including Microsoft Windows, Microsoft Edge (EdgeHTML-based and Chromium-based), Internet Explorer, ChakraCore, SQL Server, .NET Framework, Scripting Engine, JET Database Engine, ASP.NET Core, Microsoft Office and Microsoft Office Services and Web Apps, Microsoft Windows Codecs Library, and Microsoft Dynamics.

The first of the two zero-days fixed this month is a bug in the Internet Explorer (IE) scripting engine. Indexed as CVE-2020-1380, attackers could use this remote code execution (RCE) vulnerability to compromise a system when a user browses to a malicious website with IE, or opens booby-trapped Office files sent by hackers.

While this bug exists in the IE scripting engine, other native Microsoft apps, such as Office suite, are also impacted because Office apps use the IE engine to embed and render web pages inside Office documents.

'[The] vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer,' Microsoft said.

'The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.'

Microsoft credited antivirus maker Kaspersky for discovering the bug and reporting it to the company.

CVE-2020-1464, a spoofing bug, is another flaw. It could allow hackers to bypass Windows security features and have Windows incorrectly validate file signatures.

Microsoft has also patched a critical issue indexed as CVE-2020-1472, which impacts Windows Server versions and could enable an unauthenticated attacker to run an application of their choice after gaining admin access to a Windows domain controller.

"A vulnerability in the Netlogon Remote Protocol (MS-NRPC) could allow attackers to run their applications on a device on the network," said Dustin Childs of Trend Micro Zero Day Initiative.

"An unauthenticated attacker would use MS-NRPC to connect to a Domain Controller (DC) to obtain administrative access," he explained, adding that fixing the bug entirely could be a problem.

CVE-2020-1337 is the last critical security hole addressed this month. This bug exists in the Windows Print Spooler service and could enable an attacker to escalate privileges on a system if they were logged on as a regular (non-admin) user.

It affects all the Windows versions from Windows 7 to Windows 10, and researchers who discovered it have promised to publish a Proof-of-Concept exploit this week.