In a recent release, Microsoft officially patches two crucial zero-day bugs on its platform and 120 known vulnerabilities.
The two zero-day bugs are known exploits that malicious users employ to infiltrate target devices. Microsoft said that these vulnerabilities had been completely patched with its latest update.
The latest update contains patches for at least 13 different products. These include SQL Server, Windows, Edge browser, and the .NET Framework. In total, more than 120 vulnerabilities have been patched, with 17 of them considered “Critical.”
Two zero-day vulnerabilities
One of the two vulnerabilities affects the Windows operating system. The bug allows the attacker to validate file signatures even if they are invalid. This will allow the hacker to bypass security features and deploy malicious file signatures.
In order to prevent the bug from being exploited, the technical details of it were not released to the public. This is the same strategy that the Microsoft security team employs on all of its patches. By not disclosing the bug, they prevent it from being exploited by hackers, thus giving them time to fix it.
Here we go again. Microsoft released updates to plug at least 120 security holes in its Windows operating systems and supported software, including two newly discovered vulnerabilities that are actively being exploited. #patchtuesday #cloudfusion https://t.co/gaWW6HTbwb pic.twitter.com/KjDAu5UcEj
— MTP (@MTPNJ) August 12, 2020
The second zero-day vulnerability is found on the scripting engine of the Internet Explorer browser. While the browser has been completely replaced by Edge, some older versions of Windows still use it. The bug appears to allow hackers to remotely execute codes in the browser’s scripting engine.
Microsoft said that the bug was discovered first by the team from Kaspersky. This is extremely critical since many apps still rely on the browser’s scripting engine in rendering web pages. For one, the entire Office suite relies on this scripting engine in order to deliver web pages inside a document.
Other vulnerabilities
Multiple other known vulnerabilities have been patched with the latest update. One particular update is for the Outlook email client. The patch fixes the vulnerability, which allows hackers to remotely execute malicious codes.
Other updates included in the patch are for MSHTML Engine, Media Foundation, Windows Codec Library, and Windows Media. The entire changelog of the patch is accessible on the official Microsoft support page.
A fix for the vulnerability on the Windows Print Spooler application was also part of the update. This particular vulnerability allows hackers to escalate their privilege, giving them more control of the target device. The bug is present on all Windows versions from Windows 7 to the latest Windows 10 version.
Microsoft highly encourages users to update their devices in order to improve security. The tech giant releases these updates on a monthly basis and calls it Patch Tuesday.
Featured image courtesy of Johny vino/Unsplash13