By Jon Munshaw.
UPDATE: Additional rules to cover CVE-2020-1472 were published in our recent rule release. Please enable rules 55703 and 55704 for additional coverage.
Microsoft released its monthly security update Tuesday, disclosing 120 vulnerabilities across its array of products.
Sixteen of the vulnerabilities are considered “critical,” including one that Microsoft says is currently being exploited in the wild. Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs.
The security updates cover several different products including Microsoft Media Foundation, the Windows Registry and Microsoft Outlook.
Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For complete details, check out the latest Snort advisory here.
Microsoft Media Foundation contains the largest number of these critical vulnerabilities. The bugs (CVE-2020-1379, CVE-2020-1477, CVE-2020-1492, CVE-2020-1525 and CVE-2020-1554) could all allow an adversary to corrupt memory in a way that would allow them to execute code remotely on the victim machine. Any of these vulnerabilities could be triggered if the target opens a specially crafted document or web page.
The Microsoft Scripting Engine also contains two similar vulnerabilities (CVE-2020-1380 and CVE-2020-1555). With these, an attacker could again corrupt memory on the victim machine and then execute remote code. Microsoft’s release states that CVE-2020-1380 has been exploited in the wild, though no proof-of-concept code is publicly available.
Microsoft’s Netlogon Remote Protocol also includes a notable remote code execution vulnerability. CVE-2020-1472 could allow a malicious user to execute a specially crafted application on a machine connected to the victim network. After installing today’s update, users are encouraged to deploy Domain Controller (DC) enforcement mode.
Most of the other vulnerabilities in this month’s Patch Tuesday are considered important. Visit Microsoft’s update page for complete details.
In response to these vulnerability disclosures, Talos is releasing a new SNORTⓇ rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The rules included in this release that protect against the exploitation of many of these vulnerabilities are 54733 - 54746, 54753 and 54754.