Microsoft today released updates to plug at least 120 security holes in its Windows operating systems and supported software, including two newly discovered vulnerabilities that are actively being exploited.

Yes, good people of the Windows world, it’s time once again to backup and patch up!

The other flaw enjoying active exploitation is CVE-2020-1464, which is a “spoofing” bug in virtually supported version of Windows that allows an attacker to bypass Windows security features and load improperly signed files.

Trend Micro’s Zero Day Initiative points to another fix — CVE-2020-1472 — which involves a critical issue in Windows Server versions that could let an unauthenticated attacker gain administrative access to a Windows domain controller and run an application of their choosing.

A domain controller is a server that responds to security authentication requests in a Windows environment, and a compromised domain controller can give attackers the keys to the kingdom inside a corporate network.

Perhaps the most “elite” vulnerability addressed this month earned the distinction of being named CVE-2020-1337, and refers to a security hole in the Windows Print Spooler service that could allow an attacker or malware to escalate their privileges on a system if they were already logged on as a regular (non-administrator) user.

Satnam Narang at Tenable notes that CVE-2020-1337 is a patch bypass for CVE-2020-1048, another Windows Print Spooler vulnerability that was patched in May 2020.

Narang said researchers found that the patch for CVE-2020-1048 was incomplete and presented their findings for CVE-2020-1337 at the Black Hat security conference earlier this month.

Keep in mind that while staying up-to-date on Windows patches is a must, it’s important to make sure you’re updating only after you’ve backed up your important data and files.

A reliable backup means you’re less likely to pull your hair out when the odd buggy patch causes problems booting the system.

So do yourself a favor and backup your files before installing any patches.

Tags: adobe acrobat, adobe reader, Black Hat, CVE-2020-1048, CVE-2020-1337, CVE-2020-1380, CVE-2020-1464, CVE-2020-1472, Dustin Childs, Internet Explorer zero-day, Microsoft Patch Tuesday August 2020, Satnam Narang, Tenable, Trend Micro Zero Day Initiative.

My support ticket to Microsoft using the VSS (file history) recently ended with Microsoft saying that file history should NOT be used to backup user data files.

If you use file history versions and rely on it as your backup, then make sure you test the recovery of files on a regular basis!