June's Patch Tuesday reveals 23 ways to remotely pwn Windows – and over 100 more bugs that could ruin your day
Microsoft, Intel, Adobe, SAP emit fixes in security synchronicity
Patch Tuesday Microsoft has given IT admins and folks another busy Patch Tuesday with 129 security vulnerabilities to address.
The Redmond giant has posted fixes for CVE-listed bugs in its latest monthly security update, including 23 that allow for remote code execution. The massive bundle is not entirely unexpected, as security experts have suggested that vendors are still catching up on their patching and reporting routines.
Of the 129 patches this month, 11 were rated by Microsoft as critical security risks. Fortunately, there are no reports of public exploit code nor in-the-wild attacks on any of the flaws as yet – but remember Exploit Wednesday. Once the bugs are known, and patches available, exploits can be reverse-engineered.
LNK flaws strike again
One of the bugs that was of particular interest to researchers was CVE-2020-1299, a remote code execution issue that arises when trying to load Windows shortcut (LNK) files. This is the third time this year Microsoft has had to address an RCE bug in such shortcuts.
"An attacker could use this vulnerability to get code execution by having an affected system process a specially crafted .LNK file," explained Dustin Childs of the Trend Micro Zero Day Initiative (ZDI).
"These types of files are often put on a USB drive in an attempt to bridge an air-gapped network."
Also catching the eye of the ZDI team was CVE-2020-1229, a security bypass bug in Outlook that, while not particularly concerning at first glance, poses a significant risk if chained with other exploits.
"This bug could allow attackers to automatically load remote images – even from within the Preview Pane," said Childs. "While this bypass alone could just disclose the IP address of a target system, it’s not unheard of to get code execution through the processing of specially crafted images (see any GDI+ bug)."
SharePoint Server admins will want to make sure they test out and install the fix for CVE-2020-1181 as soon as possible in order to prevent remote code execution attacks. Microsoft also patched six SharePoint XSS flaws (CVE-2020-1177, CVE-2020-1183, CVE-2020-1297, CVE-2020-1298, CVE-2020-1318, CVE-2020-1320), two elevation of privilege flaws (CVE-2020-1295, CVE-2020-1178), and three spoofing bugs (CVE-2020-1148, CVE-2020-1289, CVE-2020-1323).
While Microsoft tends not to consider Office and multimedia RCE bugs to be critical risks because users need to manually open files in order to trigger an attack, admins should put a priority on testing and patching the updates for Jet Database (CVE-2020-1208, CVE-2020-1236), Media Foundation (CVE-2020-1238, CVE-2020-1239), Excel (CVE-2020-1225, CVE-2020-1226), Office (CVE-2020-1321), VBScript (CVE-2020-1214, CVE-2020-1215, CVE-2020-1230), and the outdated SMBv1 (CVE-2020-1301).
Those running word on Android will also want to make sure they update their software, as Microsoft issued a patch for CVE-2020-1223, a remote code execution flaw.
Haven't killed Flash yet? In that case you'll want this Adobe patch
Adobe has issued a fix for a single remote code execution hole in its aging Flash Player plugin. CVE-2020-9633 is a use-after-free bug present in the Windows, macOS, Linux, and ChromeOS versions of Flash Player. Adobe did not say who found the flaw.
The third of the updates was given to Adobe Framemaker to clean up up three arbitrary code execution bugs (CVE-2020-9636, CVE-2020-9634, CVE-2020-9635). Adobe credits ZDI researcher Francis Provencher with reporting CVE-2020-9634 and CVE-2020-9635, while Honggang Ren of Fortiguard Labs found CVE-2020-9636.
Five Intel updates, including a re-hash of CacheOut bug
Chipzilla is now part of the Patch Tuesday as well, so everyone using Intel hardware will want to check out the fixes for flaws in its Innovation Engine (CVE-2020-8675, elevation of privilege via the firmware build and signing tool) and Special Register Buffer (CVE-2020-0543, information disclosure caused by incomplete register data cleanup).
That CVE-2020-0543 bug has been dubbed CrossTalk by the people who found it. Intel has a technical deep-dive into the flaw here. The upshot is malware on a system, or a rogue logged-in user, could, for example, exploit it to leak sensitive information from SGX enclaves.
On top of this, a single bulletin was issued to address 20 different vulnerabilities in CSME, SPS, TXE, AMT, ISM, and DAL. The bugs have a number of sources, including the IPv6 subsystem, improper input validation, and a one-way hash in CSME.
The vulnerabilities could be exploited to pull off denial of service, information disclosure, and elevation of privilege attacks, the latter being particularly bad in the context of Intel firmware.
Intel also issued fixes for its BIOS (CVE-2020-0528, denial of service or elevation of privilege via improper buffer restrictions) and SSD firmware (CVE-2020-0527, information disclosure from insufficient control flow management).
Meanwhile, there's a vulnerability dubbed SGAxe [PDF] which is a fresh take on the CacheOut vulnerability, again breaking the security of Intel's SGX. You can find more details here; Intel is said to be working on releasing a microcode fix for the issue.
SAP pushes 17 updates
Those admins looking over SAP installations will want to check if their software is included in the lineup of 17 June security notes, including fixes to Apache Tomcat (CVE-2020-1938), two fixes for SAP Commerce (CVE-2020-6265, CVE-2020-6264), SAP Success Factors (CVE-2020-6279), and NetWeaver (CVE-2020-6275). ®