Microsoft patches 120 security bugs in August 2020 Patch Tuesday update.
Seventeen bugs are rated as “critical” meaning they can be easily exploited by hackers to gain full control of a vulnerable machine. Overall, the August security update includes patches for 13 different products, including Microsoft Windows, Microsoft Edge (EdgeHTML-based and Chromium-based), Internet Explorer, ChakraCore, SQL Server, .NET Framework, Scripting Engine, JET Database Engine, ASP.NET Core, Microsoft Office and Microsoft Office Services and Web Apps, Microsoft Windows Codecs Library, and Microsoft Dynamics.
The first of the two zero-days fixed this month is a bug in the Internet Explorer (IE) scripting engine. Indexed as CVE-2020-1380, attackers could use this remote code execution (RCE) vulnerability to compromise a system when a user browses to a malicious website with IE, or opens booby-trapped Office files sent by hackers.
While this bug exists in the IE scripting engine, other native Microsoft apps, such as Office suite, are also impacted because Office apps use the IE engine to embed and render web pages inside Office documents.
CVE-2020-1464, a spoofing bug, is another flaw. It could allow hackers to bypass Windows security features and have Windows incorrectly validate file signatures.
Microsoft has also patched a critical issue indexed as CVE-2020-1472, which impacts Windows Server versions and could enable an unauthenticated attacker to run an application of their choice after gaining admin access to a Windows domain controller.
CVE-2020-1337 is the last critical security hole addressed this month. This bug exists in the Windows Print Spool-er service and could enable an attacker to escalate privileges on a system if they were logged on as a regular user.