This month's Patch Tuesday updates address a total of 120 newly discovered software vulnerabilities, of which 17 are critical, and the rest are important in severity.
In a nutshell, your Windows computer can be hacked if you:
- Play a video file — thanks to flaws in Microsoft Media Foundation and Windows Codecs
- Listen to audio — thanks to bugs affecting Windows Media Audio Codec
- Browser a website — thanks to 'all time buggy' Internet Explorer
- Edit an HTML page — thanks to an MSHTML Engine flaw
- Read a PDF — thanks to a loophole in Microsoft Edge PDF Reader
- Receive an email message — thanks to yet another bug in Microsoft Outlook
But don't worry, you don't need to stop using your computer or without Windows OS on it. All you need to do is click on the Start Menu → open Settings → click Security and Update, and install if any new update is available.
Install Updates! Two Zero-Days Under Active Attacks
Another reason why you should not ignore this advice is that two of the security flaws have reportedly been exploited by hackers in the wild and one publicly known at the time of release.
According to Microsoft, one of the zero-day vulnerabilities under active attack is a remote code execution bug that resides in the scripting engine's library jscript9.dll, which is used by default by all versions of Internet Explorer since IE9.
The vulnerability, tracked as CVE-2020-1380, was spotted by Kaspersky Labs and has been rated critical because Internet Explorer remains an important component of Windows as it still comes installed by default in the latest Windows.
Kaspersky researchers explain that the flaw is a use-after-free vulnerability in JScript that corrupts the dynamic memory in Internet Explorer in such a way that an attacker could execute arbitrary code in the context of the current user. So, if the current user is logged in with administrative privileges, the attacker could control the affected system.
"An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements," Microsoft says in its advisory.
Exploited by unknown threat actors as part of 'Operation PowerFall' attacks, a proof-of-concept exploit code, and technical details for the zero-day vulnerability have been published by Kaspersky.
The second zero-day vulnerability—tracked as CVE-2020-1464 and under active exploitation—is a Windows spoofing bug that exists when Windows incorrectly validates file signatures.
This zero-day bug affects all supported versions of Windows and allows attackers to load improperly signed files by bypassing security features intended to prevent incorrectly signed files from being loaded.
Besides these, notably, the batch also includes a critical patch for an elevation of privilege flaw affecting NetLogon for Windows Server editions, where this RPC service serves as a domain controller.
Tracked as 'CVE-2020-1472,' the vulnerability can be exploited by unauthenticated attackers to use Netlogon Remote Protocol (MS-NRPC) to connect to a Domain Controller (DC) and obtain administrative access to run malicious applications on a device on the network.
Home users and server administrators are strongly recommended to apply the latest security patches as soon as possible to prevent malware or miscreants from exploiting and gain complete remote control over their vulnerable computers.