Microsoft’s May 2020 security updates patch 111 vulnerabilities, including 16 rated critical, but none of them has been exploited in attacks or disclosed before fixes were released.
The critical vulnerabilities patched this month impact the Edge and Internet Explorer web browsers, Windows, SharePoint and Visual Studio, and they can be exploited for remote code execution or privilege escalation.
The remaining security holes have been rated important and they impact .NET, Windows, Edge, Internet Explorer, Office, Visual Studio, and Power BI Report Server, and they can lead to DoS attacks, privilege escalation, remote code execution, XSS attacks, spoofing attacks, and information disclosure.
Several experts have shared their thoughts with SecurityWeek on the latest round of patches from Microsoft:
Jimmy Graham, Senior Director of Product Management, Qualys:
“For the past three months, Microsoft has been issuing very large Patch Tuesday releases, with March fixing 115 vulnerabilities, April with 113, and now May with 111. This shows their commitment to resolving vulnerabilities in their software, and their continued engagement with the security community.”
Greg Wiseman, senior security researcher, Rapid7:
“The bulk of this month’s fixes, as well as most of the critical ones, are for core components of the Windows operating system itself. 44 of the 55 Windows vulnerabilities allow elevation of privilege, a favourite for attackers who want to expand their capabilities after getting an initial foothold (perhaps by first exploiting CVE-2020-1126, for example, a Remote Code Execution (RCE) vulnerability in Windows Media Foundation).
There is a smattering of browser vulnerabilities, fewer than usual but still worth your attention. CVE-2020-1062 and CVE-2020-1035 are two of several vulnerabilities this month that allows RCE in Internet Explorer. Three vulnerabilities in Edge could allow spoofing (CVE-2020-1059), RCE (CVE-2020-1096, related to Edge’s PDF reader), or elevation of privilege (CVE-2020-1056) for anyone an attacker can convince to visit a malicious website. Only one vulnerability is being patched in Office: CVE-2020-0901 is an RCE in Excel on all supported versions (including Office for Mac).
SharePoint admins need to be aware of twelve distinct CVEs being patched this month, including CVE-2020-1069 (one of four RCEs), seven Spoofing weaknesses, and an information disclosure vulnerability (CVE-2020-1103). Also on the server side, CVE-2020-1055 affects Active Directory Federation Services and could allow an unauthenticated attacker to perform cross-site scripting attacks on affected systems, running scripts as the current user of the system.
Similar to April, and likely a relief to many administrators who are still facing the task of patching remotely working fleets, most of this month’s issues will be addressed by relatively few KBs.”
Jay Goodman, strategic product marketing manager, Automox:
“Notable vulnerabilities include CVE-2020-1023, CVE-2020-1102, and CVE-2020-1135.
CVE-2020-1023 and CVE-2020-1102 are remote code execution vulnerabilities in Microsoft SharePoint. These vulnerabilities allow attackers to access a system and read or delete contents, make changes, or directly run code on the system. This gives an attacker quick and easy access to not only your organization’s most critical data stored in the SQL server but also a platform to perform additional malicious attacks against other devices in your environment. Systems like SharePoint can often be difficult to take offline and patch, allowing RCE vulnerabilities to linger in your infrastructure. This gives attackers the ability to “live off the land” and move laterally easily once access is gained via an existing exploit.
CVE-2020-1135 is a vulnerability in the Windows Graphics Component allowing elevation of privilege. The vulnerability is found in most Windows 10 and Windows Server builds and is marked by Microsoft as more likely to be exploited. The vulnerability could allow an exploit that leverages how Windows Graphics handles objects in memory. An attacker could use this vulnerability to elevate a process’ privileges, allowing the attacker to steal credentials or sensitive data, download additional malware, or execute malicious code.
With the world facing a sudden and shifting landscape, the “New Normal” of large patch batches for Patch Tuesday’s is not easing the burden on IT and security admins. Yet again, the race to end your vulnerabilities today is on with admins needing to patch a multitude of holes while adversaries are able to cherry-pick from a host of available attack vectors.”
Chris Hass, director of information security and research, Automox:
“While both CVE-2020-1058 and CVE-2020-1060 are not rated critical in severity, it’s very possible to see them used by attackers in the wild; both vulnerabilities impact VBScript and how the scripting engine handles objects in memory. When exploited, both could allow an attacker to gain the same right as the current user. Due to the versatility of VBScript in Windows, these vulnerabilities allow for several attacker vectors to be explored by malicious actors. An attacker could host a malicious webpage with a specially crafted payload to exploit any user visiting the page using IE, inject code into a compromised webpage, or even launch a malvertising campaign to serve the payload via malicious advertisements on popular websites. An attacker could also embed an Active X control object in an application or Office document that could be used in a phishing campaign to gain code execution on the machine. It’s likely only a matter of time till attackers, such as DarkHotel, incorporate these into their arsenal.”
Richard Melick, Sr. technical product manager, Automox:
“Visual Studio Code, one of the most popular developer environment tools, received a patch addressing CVE-2020-1192, a vulnerability in how Python extension loads workspace settings from a notebook file. Accounting for over 50% of the market share of developer tools, an attacker is not short of potential targets, and if successful, would have the ability to take control of the victim machine acting as the current user. Once an attacker has gained access, they could be capable of stealing critical information like source codes, inserting malicious code or backdoors into current projects, and install, modify, or delete data. Due to the importance and popularity of Visual Studio Code, it is critical that organizations deploy this patch within 24 hours before this vulnerability is weaponized and deployed.
Microsoft Sharepoint, the increasingly popular team collaboration platform, requires a critical update today, addressing CVE-202-1024. If exploited successfully, this vulnerability would give an attacker the ability to execute arbitrary code from the SharePoint application pool and the SharePoint server farm account, potentially impacting all the users connected into and using the platform. If an attacker is able to access this critical component of the network, lateral movement throughout the connected filesystems would be difficult to contain. With Microsoft Sharepoint’s rise in use to support remote workers, addressing this vulnerability quickly is critical to securing a central hub of access to the full corporate network and data.”