Microsoft Reveals New Innocent Ways Windows Users Can Get Hacked

Microsoft earlier today released its August 2020 batch of
software security updates for all supported versions of its Windows
operating systems and other products.

This month’s Patch Tuesday updates address a total of 120 newly
discovered software vulnerabilities, of which 17 are critical, and
the rest are important in severity.

In a nutshell, your Windows computer can be hacked if you:

• Play a video file — thanks to flaws in Microsoft Media
  Foundation and Windows
  Codecs^[1][2]
• Listen to audio — thanks to bugs affecting Windows Media Audio
  Codec
• Browser a website — thanks to ‘all time buggy’ Internet
  Explorer
• Edit an HTML page — thanks to an MSHTML
  Engine^[3] flaw
• Read a PDF — thanks to a loophole in Microsoft Edge PDF
  Reader
• Receive an email message — thanks to yet another bug in Microsoft
  Outlook^[4]

But don’t worry, you don’t need to stop using your computer or
without Windows OS on it. All you need to do is click on the Start
Menu → open Settings → click Security and Update, and
install if any new update is available.

Install Updates! Two Zero-Days Under Active Attacks

Another reason why you should not ignore this advice is that two of
the security flaws have reportedly been exploited by hackers in the
wild and one publicly known at the time of release.

According to Microsoft, one of the zero-day vulnerabilities under
active attack is a remote code execution bug that resides in the
scripting engine’s library jscript9.dll, which is used by default
by all versions of Internet Explorer since IE9.

The vulnerability, tracked as CVE-2020-1380^[5], was spotted by
Kaspersky Labs and has been rated critical because Internet
Explorer remains an important component of Windows as it still
comes installed by default in the latest Windows.

Kaspersky researchers explain that the flaw is a use-after-free
vulnerability in JScript that corrupts the dynamic memory in
Internet Explorer in such a way that an attacker could execute
arbitrary code in the context of the current user. So, if the
current user is logged in with administrative privileges, the
attacker could control the affected system.

“An attacker could also embed an ActiveX control marked “safe
for initialization” in an application or Microsoft Office document
that hosts the IE rendering engine. The attacker could also take
advantage of compromised websites and websites that accept or host
user-provided content or advertisements,” Microsoft says in its
advisory.

Exploited by unknown threat actors as part of ‘Operation
PowerFall‘ attacks, a proof-of-concept
exploit^[6] code, and technical
details for the zero-day vulnerability have been published by
Kaspersky.

The second zero-day vulnerability—tracked as CVE-2020-1464
and under active exploitation—is a Windows spoofing bug that exists
when Windows incorrectly validates file signatures.
^[7]

This zero-day bug affects all supported versions of Windows and
allows attackers to load improperly signed files by bypassing
security features intended to prevent incorrectly signed files from
being loaded.

Besides these, notably, the batch also includes a critical patch
for an elevation of privilege flaw affecting
NetLogon^[8] for Windows Server
editions, where this RPC service serves as a domain controller.

Tracked as ‘CVE-2020-1472,’ the vulnerability can be exploited
by unauthenticated attackers to use Netlogon Remote Protocol
(MS-NRPC) to connect to a Domain Controller (DC) and obtain
administrative access to run malicious applications on a device on
the network.

Home users and server administrators are strongly recommended to
apply the latest security patches as soon as possible to prevent
malware or miscreants from exploiting and gain complete remote
control over their vulnerable computers.