Microsoft has delivered a total of 120 bug fixes as part of August 2020 Patch Tuesday, including patches for two zero-day flaws.
17 of the vulnerabilities were handed a maximum severity rating of 10/10, as per the Common Vulnerability Scoring System (CVSS), while two were classified as zero-days, meaning hackers were able to exploit the bugs before Microsoft could administer a fix.
The high volume of vulnerabilities addressed on August 2020 Patch Tuesday makes it the third largest ever, behind only June 2020 (126 vulnerabilities) and July 2020 (123 vulnerabilities).
Microsoft August 2020 Patch Tuesday
The first of the two zero-days patched by Microsoft is a spoofing vulnerability affecting Windows OS, which could be used to “bypass security features and load improperly signed files.”
“In an attack scenario, an attacker could bypass security features intended to prevent improperly signed files from being loaded. The update addresses the vulnerability by correcting how Windows validates file signatures,” explained Microsoft.
The second zero-day was present in web browser Internet Explorer 11 and has been described by the Redmond giant as “critical”.
Disclosed by security firm Kaspersky, the bug was found in the browser’s scripting engine and could be used to perform remote code execution on a target device.
“The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” reads the vulnerability report.
This could be especially problematic if an attacker were to target a user with administrative privileges, allowing them to install software, edit or delete data and create new accounts with full access privileges.
To mitigate against both zero-day vulnerabilities, as well as the 118 others addressed by August 2020 Patch Tuesday, users are advised to update to the latest versions of all Microsoft products.
The full list of vulnerabilities patched can be found here.