ALERT: Update IE and Windows for vulnerabilities
Wednesday, August 12, 2020
The information below was sent to U-M IT groups on August 12, 2020. It is intended for U-M IT staff who are responsible for university devices or servers running Microsoft Windows, Windows Server, or Internet Explorer 11. It also applies to individuals who use Windows or Internet Explorer on their own computers.
Summary
Microsoft has released updates for two vulnerabilities that are being actively exploited. The most important update is for Internet Explorer 11, which is affected by a remote code execution vulnerability. The other vulnerability affects Windows and Windows Server. Prioritize updates to devices used for reading email and web browsing.
Problem
- In Internet Explorer 11, a remote code execution vulnerability exists that could give an attacker the same user rights as the current user. To exploit the vulnerability, an attacker could use a specially crafted website, compromised websites, or websites that accept or host user-provided content or advertisements. According to ZDNet, while the bug is in the IE scripting engine, other native Microsoft apps, including Office, are also affected. The bug can be exploited through malicious web sites or booby-trapped Office files.
- In Windows and Windows Server, a spoofing vulnerability exists when Windows incorrectly validates file signatures. An attacker could bypass security features intended to prevent improperly signed files from being loaded. This could allow an attacker to pretend that their malware is made by a trusted vendor, potentially bypassing security controls that would normally only allow software from trusted sources to run.
Threats
The vulnerabilities are being actively exploited in the wild.
Affected Systems
- Internet Explorer 11
- All supported versions of Windows and Windows Server
Action Items
Apply the following updates from Microsoft as soon as possible after appropriate testing:
- CVE-2020-1380 | Scripting Engine Memory Corruption Vulnerability (Microsoft, 8/11/20)
- CVE-2020-1464 | Windows Spoofing Vulnerability (Microsoft, 8/11/20)
Prioritize updates as follows:
- Prioritize updates to systems where people read email and/or browse the web, such as desktop and laptop computers. The need for immediate action in this case requires an expedited timeframe that supersedes the remediation timeframes in Vulnerability Management (DS-21).
- Windows servers where people do not perform those activities can be a lower priority.
Technical Details
CVE-2020-1380 is a use-after-free vulnerability in the library jscript9.dll, which all versions of Internet Explorer since IE9 use by default. The vulnerability is caused by JIT optimization and the lack of necessary checks in just-in-time compiled code. See Internet Explorer and Windows zero-day exploits used in Operation PowerFall (SecureList, 8/12/20) for more detail.
How We Protect U-M
- ITS Information Assurance (IA) monitors a number of sources for information about new vulnerabilities and threats and provides up-to-date information to the university community.
- IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
- IA provides vulnerability management guidance to the university.
- ITS updates MiWorkspace and MiServer managed machines as soon as possible after appropriate testing.
Information for Users
- Please consider using Microsoft Edge instead of Internet Explorer where possible.
- MiWorkspace Windows machines will be updated overnight on Thursday, August 13, provided no significant issues are found in testing. Leave your MiWorkspace computer on and connected to the internet so it can receive the update. You will need to reboot the computer for the update to be installed.
- If you have Windows or Internet Explorer 11 installed on your own computer that is not managed by the university, update to the latest version as soon as possible. It is best to set Windows and IE to update automatically.
- MiServer (MOS) will follow normal patching processes that routinely apply Microsoft updates in a timely manner. MiServer customers who manage the operating system on their MiServer systems need to apply the updates for this vulnerability.
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.
Questions, Concerns, Reports
Please contact [email protected].
References
- CVE-2020-1380 | Scripting Engine Memory Corruption Vulnerability (Microsoft, 8/11/20)
- CVE-2020-1464 | Windows Spoofing Vulnerability (Microsoft, 8/11/20)
- Microsoft Addresses RCE and Spoofing Vulnerabilities Under Active Exploitation (Cybersecurity and Infrastructure Security Agency, 8/11/20)
- Internet Explorer and Windows zero-day exploits used in Operation PowerFall (SecureList, 8/12/20)
- August 2020 Patch Tuesday: Microsoft fixes two vulnerabilities under attack (Help Net Security, 8/11/20)
- Microsoft August 2020 Patch Tuesday fixes 2 zero-days, 120 flaws (Bleeping Computer, 8/11/20)
- Microsoft August 2020 Patch Tuesday fixes 120 vulnerabilities, two zero-days (ZDNet, 8/11/20)
- Microsoft Patch Tuesday, August 2020 Edition (Krebs on Security, 8/11/20)
- Microsoft Patches 120 Vulnerabilities, Two Zero-Days (DarkReading, 8/11/20)