June 2020 Patch Tuesday: Microsoft fixes record monthly number of CVEs
On this June 2020 Patch Tuesday, Microsoft has plugged 11 critical and 118 high-severity security holes, while Adobe has delivered security updates for Flash, Framemaker and Experience Manager.
Microsoft’s updates
Microsoft has fixed a record 129 CVE-numbered vulnerabilities in a wide variety of its offerings: Windows, the Internet Explorer and Edge browsers, Office and Microsoft Office Services and Web Apps, Windows Defender, Visual Studio, Azure DevOps, and more.
11 of the vulnerabilities are critical and 118 high-severity. None are under active exploitation.
Because of the critical vulnerabilities, this month the most important updates are for various flavors of Windows, Internet Explorer and Edge.
Trend Micro Zero Day Initiative’s Dustin Childs has singled out yet another LNK Remote Code Execution Vulnerability (CVE-2020-1299) as important to patch, as it can be triggered by a victim clicking on a specially crafted .LNK file from, let’s say, a strategically dropped USB file.
CVE-2020-1300 is a remote code execution vulnerability that exists because Windows fails to properly handle cabinet (.CAB) files.
“To exploit the vulnerability, an attacker would have to convince a user to either open a specially crafted cabinet file or spoof a network printer and trick a user into installing a malicious cabinet file disguised as a printer driver,” Microsoft explained. As Childs pointed out, “users are often conditioned into trusting printer drivers when offered one, so it would not be surprising to see this get exploited.”
CVE-2020-1281, a Windows OLE remote code execution vulnerability, affects all supported versions of Windows and can be triggered by a user opening either a specially crafted file or a program from either a webpage or an email message.
“Microsoft addressed five critical remote code execution vulnerabilities impacting their Windows-based operating systems, from Windows 7 to Server 2019. CVE-2020-1248, -1281, -1286, -1299, -1300 each address different vulnerable resources in the Windows operating systems, but they all share a common trait – the necessity to trick an endpoint user to engage the exploit directly,” noted Richard Melick, Senior Technical Product Manager, Automox.
“In the recent 2020 Verizon DBIR, researchers found that over 22% of incidents were due to human error, and 30% of breaches were due to phishing attacks, going to show that despite increased efforts by organizations to address training, users still click on links, open files, and visit websites that could potentially be compromised. Each of these vulnerabilities relies on these user patterns, and if left unaddressed and vulnerable, could be a backdoor for an attacker to execute malicious code, install a backdoor, modify user credentials, or navigate laterally through the corporate network. And seeing as each of these addresses vulnerabilities impact Windows Server from 2008 to 2019, a successful exploit could be devastating to an organization.”
Microsoft has fixed several bugs affecting Office, including a critical Microsoft Outlook security feature bypass vulnerability (CVE-2020-1229). Unfortunately for Mac users, updates are not yet available, but will be soon.
Three SMB security holes have also been plugged – one in SMBv1 (CVE-2020-1301) and two in SMBv3 (CVE-2020-1284, CVE-2020-1206), but none are as dangerous as SMBGhost or the SMBv1 flaw targeted by the infamous EternalBlue exploit.
CVE-2020-1301 requires authentication before exploitation, and CVE-2020-1284 and CVE-2020-1206 can lead to information disclosure and Denial-of-Service (respectively), and not to code execution. Though CVE-2020-1284 (also dubbed SMBleed) could be combined with SMBGhost to achieve pre-auth remote code execution.
Adobe’s updates
Adobe has released security updates for Adobe Flash Player (for Windows, macOS, Linux and Chrome OS), Adobe Framemaker (for Windows) and Adobe Experience Manager.
While none of the fixed vulnerabilities are actively exploited in attacks, some are more critical than others.
The Flash update should be a priority as it fixes a critical flaw (CVE-2020-9633) that could be exploited to achieve arbitrary code execution on the target system and the vulnerability is in a piece of software that is still widely used and has historically been a preferred target of attackers.
Adobe has plugged three similarly critical flaws in Framemaker, a document processor designed for writing and editing large or complex documents. All three could lead to code execution and, since this app is mostly used by organizations, they could end up being exploited in highly targeted attacks.
“Arbitrary code execution, or ACE, allows attackers to execute commands or code on a device or within a process. On its own, ACE exploits are limited in scope to the privilege of the affected process, but when combined with privilege escalation vulnerabilities like those found in the previous updates can allow an attacker to quickly escalate privileges for a process and execute code on the target system giving the attacker full control over the device,” noted Jay Goodman, Strategic Product Manager, Automox.
“This emphasizes the importance of keeping your systems up to date. A single vulnerability may not lead to an immediate risk, but the sum total of multiple months of missing patches can create a target-rich environment for attackers.”
Finally, Adobe Experience Manager, a suite of online cloud-based services for content and digital asset management, has been updated to fix six “important” vulnerabilities that could lead to sensitive information disclosure or arbitrary JavaScript execution in the browser.