Security Experts:

Microsoft Patches Critical Code Execution Vulnerabilities in Windows, Browsers

Microsoft’s security updates for June 2020 patch 129 vulnerabilities, including 11 critical remote code execution flaws affecting Windows, the Edge and Internet Explorer browsers, and SharePoint.

Vulnerabilities rated important severity have been found in Windows, browsers, Office, Windows Defender, Dynamics, Visual Studio, Azure DevOps, and Android apps. One of these flaws, a privilege escalation issue related to the Windows Group Policy Object (GPO) mechanism, was identified by CyberArk (among others), and the cybersecurity company has published a blog post detailing its findings.

None of the security holes patched this month has been exploited in attacks or disclosed before fixes were released.

Trend Micro’s Zero Day Initiative (ZDI) has pointed out that this is the fourth month in a row that Microsoft has released patches for over 110 CVEs, and this is the highest number of patches released in a single month. The total number of patches released to date this year, 616, is nearly as much as the total fixed in 2017.

Experts from several cybersecurity companies have commented on this month’s patches:

Dustin Childs, Communications Manager, Trend Micro’s ZDI Program:

“There’s a Critical-rated SharePoint bug that would allow remote code execution if an authenticated user managed to create and invoke a specially crafted page on an affected version of SharePoint. ZDI will share more information about this bug in an upcoming blog post.

 

Mac users beware of CVE-2020-1229 – This bug could allow attackers to automatically load remote images – even from within the Preview Pane. While this bypass alone could just disclose the IP address of a target system, it’s not unheard of to get code execution through the processing of specially crafted images (see any GDI+ bug). Patches are available for Windows-based versions of Office, but the patches for Office 2016 for Mac and Office 2019 for Mac are not yet available.

 

Patches targeting Elevation of Privilege (EoP) bugs take center stage this month with a total of 70 being addressed. A total of 19 of those 70 patches fix bugs in the Windows Kernel and Kernel-mode drivers.

 

The most notable spoofing bug being addressed this month is a patch for Microsoft Bing Search for Android. Since this is an Android app, the update is found on the Google Play store and must be manually installed.

 

There are 14 information disclosure bugs being patched this month, but only two - CVE-2020-1242 and CVE-2020-1296 – could potentially leak PII.”

Erez Yalon, Head of Security Research, Checkmarx:

“Microsoft’s latest fixes in its June Patch Tuesday update show that when it comes to vulnerabilities, what’s old is new again. The same vulnerabilities we’ve seen appear in Adobe Flash over the past few years, along with common cross-site-scripting (XSS) issues, were addressed this month. As witnessed within Microsoft Office SharePoint, there were multiple XSS vulnerabilities identified in the same product -- this could be the result of a researcher who found one flaw and decided to continue digging, or Microsoft itself going through similar flows of code to try to fix them all.

 

Regardless, this serves as a reminder that if attackers can find one flaw, they will immediately continue to look for similar ones within the same codebase. This strategy leaves more doors open in the event that others are patched and closed, and enables the use of varied attack scenarios.”

Allan Liska, Intelligence Analyst, Recorded Future:

“This month starts with CVE-2020-1281, a remote code execution vulnerability in Microsoft’s Object Linking & Embedding (OLE). This vulnerability impacts Windows 7 through 10 and Windows Server 2008 through 2019. The vulnerability exists in the way OLE validates user input. An attacker who sent a specially crafted file or program, or convinced a victim to download one, could execute malicious code on the victim’s machine. Microsoft assigned this vulnerability a CVSS score of 7.8; a similar vulnerability, CVE-2017-0199, has been widely exploited including by the Lazarus group and APT 34.

 

Microsoft also disclosed a SharePoint remote code execution vulnerability, CVE-2020-1181. The vulnerability is in the way SharePoint processes unsafe ASP.Net web controls. The vulnerability impacts SharePoint 2010 through 2019 and requires a user to be authenticated in order to exploit it. While Microsoft rates this vulnerability as less likely to be exploited, SharePoint is being increasingly targeted by threat actors.

 

Microsoft Excel has two remote code execution vulnerabilities this month, CVE-2020-1225 and CVE-2020-1226. Both vulnerabilities exist in the way Excel handles objects in memory. An attacker can exploit these vulnerabilities by sending a specially crafted Excel document or by hosting one on a website. If a vulnerable user opens the document, the attacker would gain access to the remote system at the same privilege level as the victim. Excel has long been a common delivery method for threat actors, especially those involved in ransomware, and threat actors have gotten very good at quickly weaponizing Excel vulnerabilities.

 

CVE-2020-1299 is a remote code execution vulnerability in the way Microsoft processes .LNK files. This vulnerability affects Windows 7 through 10 and Windows Server 2008 through Windows Server 2019. In order to exploit this vulnerability, the attacker would need to provide a removable drive or a remote drive share that contains the malicious .LNK file. In March 2020, Microsoft announced a similar vulnerability, CVE-2020-0684, There was a lot of concern about it being exploited when it was first released but, to date, it has not been exploited in the wild.”

Richard Tsang, Senior Software Engineer, Rapid7:

“This month, a substantial number of vulnerabilities were held within the core components of Windows itself (including the Kernel), covering 54 of the 129 vulnerabilities. Something not frequently seen anymore are two noteworthy Windows Media-related vulnerabilities (CVE-2020-1238, CVE-2020-1239), which I would almost bundle with "browser vulnerabilities," as its likely vector is a malicious webpage.

 

Continuing on the browser vulnerabilities front, we continue to emphasize the importance of good security practices and hygiene in not clicking (or installing) random links (applications). 5 of the 11 Critical RCEs noted this month (CVE-2020-1213, CVE-2020-1216, CVE-2020-1219, CVE-2020-1073, CVE-2020-1260) are browser based and can be heavily mitigated via good practices. Despite this, it is always better to patch as situations like CVE-2020-1213 (which is a VBScript RCE where an attacker could also embed an ActiveX control marked "safe for initialization") can and often do occur.

 

In terms of urgency, critical remote execution vulnerabilities are typically choice patches to prioritize. Luckily this month, of the 11 Critical RCE vulnerabilities, 10 can be remediated via Operating System patches. The remaining CVE-2020-1181 is a SharePoint patch which would be more dependent on your environment.

 

Last, but not least, I want to acknowledge the SMBv3 vulnerabilities being addressed this month. CVE-2020-0796 (initially Security Advisory ADV200005), disclosed back in March 2020, is now seeing functional PoCs targeting unpatched systems. Luckily, these vulnerabilities (CVE-2020-1206, CVE-2020-1284) continue to affect Windows 10 variants on Version 1903 onwards. There is a commonality between all these vulnerabilities, however, and it is that mitigation can be accomplished via disabling SMBv3 compression, which is stated as having no negative performance impact (yet). There are patches, and patches will always be a solid strategy, but it's nice to know what the alternatives could be.”

Related: Windows Vulnerabilities Exploited for Code Execution, Privilege Escalation

Related: Microsoft's May 2020 Security Updates Patch 111 Vulnerabilities

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.