Microsoft fixes two zero days in Windows during Patch Tuesday
Microsoft has fixed two zero-day vulnerabilities in Windows. During Patch Tuesday, a total of 120 bugs were fixed, including a bug in Internet Explorer and a spoofing vulnerability that were actively exploited.
Of the 120 bugs, 17 have been marked as ‘critical’, according to the release notes of cumulative updates KB4566783 and KB4565351. Furthermore, 103 updates are ‘important’. It’s Microsoft’s third largest Patch Tuesday; only those in June and July of this year were larger.
There were two zero days between the vulnerabilities. Those bugs were actively exploited, Microsoft says. It’s about a memory corruptionvulnerability in Internet Explorer with code CVE-2020-1380. With this vulnerability, an attacker could infect a victim via a phishing website and install programs or create new admin users. The other vulnerability is CVE-2020-1464, a spoofing vulnerability that allowed attackers to forge a file’s signature, making it easier to install infected files themselves.
One of the ‘critical’ bugs relates to privilege escalation. They usually do not receive such a classification. It concerns CVE-2020-1472, where an attacker can establish a Netlogon connection with a domain controller via the Netlogon Remote Protocol.
Windows 10 version | Update |
1507 | KB4571692 |
1607 | KB4571694 |
1703 | KB4571689 |
1709 | KB4571741 |
1803 | KB4571709 |
1809 | KB4565349 |
1903/1909 | KB4565351 |
2004 | KB4566782 |