Getty Images/iStockphoto

Microsoft Patches Remote Execution, Spoofing Flaws Under Active Exploit

DHS CISA alerted private sector organizations to two security updates released by Microsoft, which patch a spoofing flaw and a remote code execution vulnerability under active exploit.

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency alerted to two software updates from Microsoft. The latest patch addresses both a spoofing vulnerability and a remote code execution (RCE) flaw currently under active exploit. 

The RCE flaw CVE-2020-1380 is found in the way the scripting engine handles objects in Internet Explorer memory, which could become corrupted in a way that would give an attacker the ability to execute arbitrary code while appearing as a current user. 

In fact, a successful exploit would give a hacker the same user rights as the current user. As such, if the current user is logged on with administrative rights, the exploit would allow an attacker to take control over the impacted system to then install programs and view, change or delete data, as well as create new user accounts complete with full user rights. 

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website,” researchers explained. 

“An attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine,” they added. “The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.” 

The Microsoft patch addresses the flaw by modifying the way memory is handled by the scripting engine. The vulnerability is found in Windows 10, Windows 7, Windows 8.1, Windows Server 2008, and Windows Server 2012. 

The flaw has been successfully exploited, so organizations should prioritize patching to prevent falling victim to an attack. Microsoft has not identified workarounds or other mitigation methods. 

Microsoft also issued a patch for a spoofing vulnerability listed as CVE-2020-1464, which exists when Windows incorrectly validates file signatures. A successful exploit would allow an attacker to bypass security to load improperly signed files. 

“In an attack scenario, an attacker could bypass security features intended to prevent improperly signed files from being loaded,” according to the alert. 

The vulnerability is found in Windows 10, Windows 7, and Windows 8.1, as well as Windows Server 2008, Server 2012, Server 2016, Server 2019, and versions 1903, 1909, and 2004. 

Microsoft hasn’t identified any mitigating factors or workarounds for the flaw, which means the patch should be prioritized to prevent exploit as it’s currently under active exploit. 

System vulnerabilities are a key entry point for a number of hacking groups, especially ransomware threat actors. In June, research from Palo Alto Network’ Unit 42 showed a new malware campaign known as Lucifer actively targets a host of unpatched high risk and critical vulnerabilities in Windows to launch both cryptojacking  and denial-of-service attacks. 

The FBI previously warned that as there has been an uptick in ransomware attacks, hackers have increasingly targeted remote desktop protocol vulnerabilities and software vulnerabilities to infect organizations. 

Notably, NetWalker commonly targets vulnerable Pulse Secure Virtual Private Networks (VPNs). In the past week, the hackers have posted data allegedly stolen from several providers and a device manufacturer. 

Next Steps

Dig Deeper on Cybersecurity strategies