[German]Microsoft has released an unscheduled security update KB4578013 for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 on August 19, 2020. It is a revision to remediate the Remote Access Elevation of Privileges vulnerabilities that were patched on August 11, 2020. Here is some information.
Advertising
I received the information about the unscheduled update as a comment and as a security advice from Microsoft (see below).
Microsoft Security Advisory August 19, 2020
Microsoft sent out a security advisory with information about the update last night. This special update resolves the remote access elevation of privileges vulnerabilities CVE-2020-1530 and CVE-2020-1537.
**************************************************************************************
Title: Microsoft Security Update Releases
Issued: August 19, 2020
**************************************************************************************
Summary
=======
The following CVEs have undergone a major revision increment:
Advertising
* CVE-2020-1530
* CVE-2020-1537
Revision Information:
=====================
* CVE-2020-1530
– CVE-2020-1530 | Windows Remote Access Elevation of Privilege Vulnerability-
– Version 2.0
– Reason for Revision: Microsoft is announcing the availability of security update
4578013 for all supported versions of Microsoft 8.1 and Windows Server 2012 R2.
Customers running Windows 8.1 or Server 2012 R2 should install the update for
their product to be protected from this vulnerability. Customers running other
versions of Microsoft Windows or Windows Server do not need to take any action.
See the Security Updates table for more information and download links.
– Originally posted: August 12, 2020
– Updated: August 19, 2020
– Aggregate CVE Severity Rating: Important
* CVE-2020-1537
– CVE-2020-1537 | Windows Remote Access Elevation of Privilege Vulnerability
– Version 2.0
– Reason for Revision: Microsoft is announcing the availability of security update
4578013 for all supported versions of Microsoft 8.1 and Windows Server 2012 R2.
Customers running Windows 8.1 or Server 2012 R2 should install the update for
their product to be protected from this vulnerability. Customers running other
versions of Microsoft Windows or Windows Server do not need to take any action.
See the Security Updates table for more information and download links.
– Originally posted: August 12, 2020
– Updated: August 19, 2020
– Aggregate CVE Severity Rating: Important
The following applies to both vulnerabilities: Improper handling of memory in the Windows Remote Access function can lead to privilege escalation under the mentioned operating systems. To exploit this vulnerability, an attacker would first have to establish a remote access connection to the victim's system. The attacker could then execute a specially designed application to elevate privileges.
The vulnerability has already been closed for Windows 7 SP1 up to Windows 10 and the server counterparts for Patchday August 11, 2020. A revision update KB4578013 for Microsoft 8.1 (including RT variant) and Windows Server 2012 R2 is apparently required as of August 19, 2020.
Update KB4578013 for Microsoft 8.1
Update KB4578013 for Microsoft 8.1, Windows RT 8.1 and Windows Server 2012 R2 is intended to address the two Windows Remote Access Elevation of Privilege vulnerabilities CVE-2020-1530 and CVE-2020-1537. According to Microsoft's kb article, this update shall only be available in the Microsoft Update Catalog for manual download and subsequent installation. They wrote:
How to get this update
Microsoft Update Catalog
To get the standalone package for this update, go to the Microsoft Update Catalog website.
But German readers commented, that they received this update via Windows Update and in WSUS too! And the KB article quote, that no reboot is necessary, while user reports, that a reboot is required (so the KB article is just a mess). Why Microsoft has to make improvements and why the unscheduled update is quoted in the kb article as 'only available for download in the Microsoft Update Catalog', is still Redmond's secret (maybe they haven't fixed the vulnerability in the patch from August 11, 2018). But they added an entry to the Windows Message-Center:
An out of band security update has been released for Windows 8.1 and Windows Server 2012 R2. This update addresses two Windows Remote Access Elevation of Privilege vulnerabilities. We recommend that you install these updates promptly. For information about the update, see KB4578013. For more information about these vulnerabilities, see CVE-2020-1530 and CVE-2020-1537.
The fragments of information that were published there don't fit together. I let it up to you to decide, if the update install is necessary – without excessive tests I would not install it on production systems with Windows Server 2012 R2. On Windows 8.1 clients for consumer it's probably not too important to install that patch – but I don't know. The message center says the patch is important – and German readers wrote, that the update is quoted as 'important' (my test machine with W8.1 still hasn't found that update yet). But remote sessions to Windows 8.1 clients are not widely used. And within the CVEs Microsoft wrote: '2 – Exploitation Less Likely'.
I guess, the right right hand in Redmond does not know what the left hand is doing. I've informed Redmond via Twitter to update their KB articles at least, to be consistent, what they are writing.
Advertising
the KB4578013 security update supersedes / replaces the KB4571723 security only update as noted by MS Update Catalog:
https://www.catalog.update.microsoft.com/Search.aspx?q=4578013