Patch Tuesday The May edition of Patch Tuesday landed this week. And there are scores of security fixes to install.
A total of 111 fixes were released by Microsoft, though on the bright side none are being actively exploited, as far as we know. Sixteen earned Microsoft's top rating of critical, and range from remote code execution to elevation of privilege.
One standout programming blunder was CVE-2020-1067, a remote-code execution (RCE) vulnerability in all supported versions of Windows. Anyone with a domain user account can exploit it for elevated access on the targeted system. It's rated important though that kinda masks the threat.
"This patch corrects an RCE bug in the Windows OS that could allow an attacker to execute arbitrary code with elevated permissions on affected systems," said Dustin Childs of the Trend Micro's ZDI. "The only thing keeping this from being critical is the fact that the attacker needs a domain user account for their specially crafted request to succeed. This makes the bug a prime target for insider threats, as well as penetration testers looking to expand their foothold in a target enterprise."
One malicious MMS is all it takes to pwn a Samsung smartphone: Bug squashed amid Android patch batchREAD MORE
There is a laundry list of vulnerabilities in Microsoft's web browser engines, Sharepoint, script interpreters, and Visual Studio that ZDI has summarized here along with the less-important ones, such as elevation-of-privilege blunders in the Windows kernel. They basically boil down to holes that can be exploited by opening maliciously crafted files, or by malware already running on a PC.
"Most are related to web browsers or some form of browse-and-own scenario," noted Childs. "Chakra Core, IE, and EdgeHTML all receive critical-rated updates.
"None of the bugs being patched are listed as being publicly known or under active attack at the time of release. That makes three months in a row that Microsoft has released patches for more than 110 CVEs. We’ll see if they maintain that pace throughout the year."
If you want to drill down into some of the more interesting ones, there's CVE-2020-1118, a denial-of-service weakness in clients and servers handling TLS 1.2; CVE-2020-1192, a remote code execution hole in the Visual Studio Code Python Extension; CVE-2020-1023, CVE-2020-1024, CVE-2020-1102, and CVE-2020-1069, all remote code execution in Sharepoint; CVE-2020-1093, remote code execution in VBScript; and CVE-2020-1153, remote code execution in the Microsoft Graphics Components.
Make sure you download, test, and deploy the fixes as necessary before someone weaponizes exploits for these vulnerabilities.
Windows 7 problems
Those still running Windows 7, and even those paying Microsoft top dollar for support to do so, should be aware of an issue with KB4556399, a .NET security and quality update. Depending on your configuration, it may fail to install.
On to Adobe: Two critical fixes for a number of CVEs
It were 36 bugs patched by Adobe this month in Acrobat and Reader, and the usual assortment of code execution and denial of service flaws that require opening a document to exploit. Linux fans are spared this time around, as the patches are only for macOS and Windows boxes.
SAP, VMware critical flaws
Meanwhile, SAP admins will want to address a number of bugs, including CVE-2020-6262, CVE-2020-6248, and CVE-2020-6243 (code injections), note 2622660 (Chromium updates), CVE-2020-6242 (missing authentication check), and CVE-2020-6219 (deserialization of untrusted data).
VMware also emitted fixes for CVE-2020-11651 and CVE-2020-11652, which are authentication bypass and directory traversal vulnerabilities. ®