Of the 120 bugs, Microsoft ranked 17 as “critical” and 103 as “important” vulnerabilities.
Five of the critical bugs (CVE-2020-1554, CVE-2020-1492, CVE-2020-1379, CVE-2020-1477 and CVE-2020-1525) are tied to Microsoft’s Windows Media Foundation (WMF), a multimedia framework and infrastructure platform for handling digital media in Windows 7 through Windows 10 and Windows Server 2008 through 2019. August’s bugs bring the number of critical bugs to ten, points out Allan Liska, senior security architect at Recorded Future.
“These vulnerabilities exist in the way WMF handles objects in memory. Successful exploitation would allow an attacker to install malicious software, manipulate data or create new accounts,” Liska said.
The researcher also urged security teams to patch CVE-2020-1046, a .NET framework RCE bug that affects versions 2.0 through 4.8. “The vulnerability exists in the way .NET handles imports. An attacker could exploit this vulnerability and gain admin-level control of the vulnerable system. To exploit this vulnerability, an attacker needs to upload a specially crafted file to a web application,” wrote Liska in a Patch Tuesday research note.
Richard Tsang, senior software engineer at Rapid7, commented in his Patch Tuesday note that the most interesting bug patched this month is a Netlogon elevation of privilege bug (CVE-2020-1472), present in several versions of Windows Server. The patch is a multi-step affair.