Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

06:10 PM
Connect Directly

Microsoft Fixes 111 Vulnerabilities for Patch Tuesday

This marks the third month in a row that Microsoft patched more than 100 bugs, of which 16 are classified as critical.

Microsoft today released fixes for 111 vulnerabilities as part of its monthly Patch Tuesday rollout. Sixteen of these flaws are categorized as Critical, and 95 are classified as Important.

This month marks the third-largest Patch Tuesday update in Microsoft history, ZDNet notes. The company patched a whopping 115 bugs in March 2020, its biggest release to date, and 113 in April. Vulnerabilities patched this month exist in Windows, the Edge browser, ChakraCore, Internet Explorer, Microsoft Office, Office Services and Web Apps, Visual Studio, Microsoft Dynamics, .NET Framework, .NET Core, and Power BI. None are publicly known or under attack.

While the absence of known vulnerabilities and zero-days gives IT managers some time to test patches before they are deployed, the size of Microsoft's recent Patch Tuesday releases could be a burden. The global shift to remote work, driven by the coronavirus pandemic, has exacerbated many existing patch management challenges and created new ones for IT teams.

Among the serious vulnerabilities patched this month are CVE-2020-1023, CVE-2020-1102, and CVE-2020-1024, all critical remote code execution flaws (RCE) in Microsoft SharePoint. These could allow attackers to access a system; view, edit, or delete data; or directly run malicious code on the system. An intruder could have access to sensitive data stored in the organization's SQL server and gain a platform to conduct malicious activity against devices in the environment.

"Systems like SharePoint can often be difficult to take offline and patch, allowing RCE vulnerabilities to linger in your infrastructure," explains Jay Goodman, product marketing manager for Automox. "This gives attackers the ability to 'live off the land' and move laterally easily once access is gained via an existing exploit."

Also worth noting are CVE-2020-1117, an RCE vulnerability in Microsoft Color Management, and CVE-2020-1126, a Media Foundation memory corruption vulnerability. Both are classified as Critical, and both could be exploited by tricking a user into opening a malicious attachment or visiting a website that contains the exploit code. If successful, an attacker could achieve the same rights as the compromised user and perform actions with the user's permissions.

"If the user has administrative privileges, the attacker could then perform a variety of actions, such as installing programs, creating a new account with full user rights, and viewing, changing, or deleting data," says Satnam Narang, staff research engineer at Tenable. "However, Microsoft rates these vulnerabilities as 'Exploitation Less Likely,' according to its Exploitability Index."

Most of the Critical flaws patched today are resolved via OS and browser updates; however, there are a number of Important CVEs with higher likelihood of exploitation. These include a pair of elevation-of-privilege vulnerabilities in Win32k (CVE-2020-1054 and CVE-2020-1143), and another in Windows Graphics Component (CVE-2020-1135). All of these are rated Exploitation More Likely by Microsoft. An attacker who gains access to a target system could exploit any one of these flaws to execute code with elevated privileges, Narang explains.

This acknowledgement underscores an important point: Vulnerabilities with lower severity levels aren't necessarily less likely to be exploited. If a business's prioritization stops at a certain severity, or CVSS scores above a certain level, it could miss flaws an attacker is likely to use.

"What is interesting and often overlooked is seven of the 10 CVEs at higher risk of exploit are only rated as Important," notes Todd Schell, senior product manager with Ivanti. "It is not uncommon to look to the Critical vulnerabilities as the most concerning, but many of the vulnerabilities that end up being exploited are rated as Important vs. Critical." Risk metrics like Publicly Disclosed, Exploited, and Microsoft's Exploitability Assessment should also be factored into prioritizing patches.

CVE-2020-1058 and CVE-2020-1060 are both examples. While neither are rated as Critical in severity, it's possible they will be used by attackers in the wild. Both are RCE flaws in VBScript and ranked Important. Microsoft considers both "Exploitation More Likely." If exploited, these flaws could allow an attacker to gain the same rights as the current user. The versatility of VBScript lends itself to a variety of attack vectors, says Chris Hass, director of information security and research with Automox.

"An attacker could host a malicious webpage with a specially crafted payload to exploit any user visiting the page using IE, inject code into a compromised webpage, or even launch a malvertising campaign to serve the payload via malicious advertisements on popular websites," says Hass. Someone could also embed an Active X control object in an application or Office file, which could be leveraged in a phishing campaign to gain code execution on a target machine.

Related Content:


Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.