Microsoft fixed these Windows and Internet Explorer zero-day flaws in latest Patch Tuesday security update

The latest series of Patch Tuesday security updates for Windows 10 includes patches for 17 bugs marked 'Critical' and 97 listed as 'Important'.

Cheat Sheet: Windows 10 PowerToys

Microsoft has issued fixes for 120 vulnerabilities – including two zero-day exploits – in its latest Patch Tuesday security update for Windows 10.

The latest series of updates covers 13 products and includes patches for 17 bugs flagged by Microsoft as 'Critical' and 97 listed as 'Important'. Microsoft began rolling out the fixes yesterday, August 11, covering Windows 10 version 2004 all the way back to Windows 7 and Server 2008.

SEE: Zero trust security: A cheat sheet (free PDF) (Free PDF) (TechRepublic)

Amongst the main vulnerabilities to be have patched is the bug designated CVE-2020-1464, a spoofing vulnerability through which an attacker could bypass Windows 10's security features and load improperly signed files on a user's machine. This vulnerability has been publicly disclosed and detected in real-world attacks, though no other details have been provided by Microsoft.

The second zero-day exploit being remedied by Microsoft is CVE-2020-1380, a remote-code execution vulnerability in Internet Explorer's scripting engine. This vulnerability was flagged to Microsoft by antivirus software provider Kaspersky, and allows attackers to execute malicious code in Internet Explorer through which an unauthorised user could then take control of other parts of the victim's system.

According to Microsoft, an attacker who successfully exploited the vulnerability could gain the same user rights as the authorised user: if the current user is logged on with administrator rights, for instance, the attacker could take control of the system and install programs; view, change, or delete data; or create new accounts at will.

Kaspersky explained that the exploit was dangerous regardless of whether Internet Explorer was used as the primary web browser on a PC: some Microsoft applications, such as Office, often use Internet Explorer to display video and render web pages within documents via the ActiveX extension. An attacker could, therefore, exploit code into ActiveX and either launch it via a document or lure users to a malicious site.

SEE: Windows 10 Start menu hacks (TechRepublic Premium)

Another notable vulnerability resolved in August's security update is CVE-2020-147. This exploit enabled an attacker to use the Netlogon Remote Protocol (MS-NRPC) to connect to a domain controller and obtain domain administrator access. Microsoft is addressing this vulnerability in a two-part update, starting with a modification to how Netlogon handles the use of secure channels.

Additional patches being rolled out by Microsoft cover its Edge browser, Office, SQL Server Management Studio, .Net Framework, alongside other components and development tools. Adobe has also pitched in with 26 fixes for vulnerabilities in its Acrobat and Reader applications.

All of the latest Patch Tuesday fixes are available via Windows Update. ZDNet has published an exhaustive list of everything that's included, alongside a list of security updates released by other companies this week.

Also see