It’s time for patch Tuesday again. I like to start with some good news, and this month is easy. There is nothing near as severe as we got from SigRed last month. Are you feeling good now? Great! Let’s dive into all the less good news. We have 120 vulnerabilities (13 critical) that got patches this week, and we have officially passed 2019s numbers of CVE’s. As we have been well over 100 per month since April, it seems likely we will be well over 1200 by the end of the year. Hurray for records! Also worth noting is this month has 2 that are already actively being exploited, and 1 of those is publicly known.
CVE-2020-1464 - Let’s start with the publicly known currently exploited vulnerability. This one lets an attacker bypass security features and load improperly signed files by making windows incorrectly validate file signatures.
CVE-2020-1380 - The other currently exploited vulnerability allows arbitrarily to run code in the current user context. It does this by taking advantage of how the scripting engine handles objects in memory in Internet Explorer.
CVE-2020-1568 - This one is similar to 1380, only the attack goes through Edge PDF reader instead of IE. While it is not an actively exploited vulnerability, it seems like it is very good to get patched.
It feels like every month, we either have extreme vulnerabilities that need to be patched or have vulnerabilities already actively being exploited that we need to patch. This is what happens when the hackers can’t go out for fresh air once in a while! If you are on the patch management team, you might want to get on this one. If you aren't, maybe send them an edible arrangement or something? They could probably use some show of support by now.
Jordan had spent his life wondering why tasks he didn’t like to do had no options to complete themselves. Eventually he had to make that happen on his own. It turned out that he enjoyed making tasks complete themselves, and PDQ thought that is something he should talk about on the internet while drinking most Thursdays on the PDQ webcast.