As part of its August Patch Tuesday 2020 release Microsoft has addressed a total of 120 vulnerabilities across 13 products, including two zero-day flaws actively exploited in the wild.
The first flaw, tracked as CVE-2020-1464, resides in Windows OS and related to Windows incorrectly validating file signatures. The vulnerability allows an attacker to bypass security features and load improperly signed files.
CVE-2020-1464 affects various versions of Windows, including Windows 7 and Windows Server 2008, which are not supported anymore.
The second issue (CVE-2020-1380) is a Remote Code Execution bug, which exists due to how the scripting engine used by Internet Explorer handles objects in memory. The vulnerability was reported to Microsoft by researchers at Kaspersky Lab.
“The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft explains.
To exploit this vulnerability an attacker needs to create a malicious website and trick the victim into visiting it and then convince the user to open a malicious Office document.
While Microsoft did not reveal any details regarding attacks exploiting these flaws, Kaspersky Lab has shared some information about suspected culprits behind the attacks.
The researchers said they prevented an attack, which they called ‘Operation PowerFall’ on an undisclosed South Korean company in May this year, which leveraged a malicious script for Internet Explorer. The investigation revealed that the attack "used a previously unknown full chain that consisted of two zero-day exploits: a remote code execution exploit for Internet Explorer and an elevation of privilege exploit for Windows."
While Kaspersky Lab was unable to attribute the Operation PowerFall campaign to any known threat group, the firm says that some similarities with previously discovered exploits may suggest involvement of the DarkHotel APT group previously linked by researchers to North Korea.