June 2020 Patch Tuesday Update—Highest CVE count in history

The June patch Tuesday release is another heavy one, meaning the research community keeps finding more vulnerabilities and Microsoft continues to step up and knock them down. In total, 128 unique CVE numbers were fixed—the highest so far. Of those, 11 are marked “Critical” across operating systems, browsers, and one in SharePoint. There are also some very notable “Important” vulnerabilities to pay attention to, which we’ll break down here as well. There are no “Exploit Detected” entries this month but there are some “Exploitation More Likely” listings—including a few surprises (I’m talking about you SMBv1!). As always, let’s start with the “Criticals.”

Operating systems

There are five “Critical” operating system vulnerabilities in this batch. They’re all remote code execution vulnerabilities, and all are listed as “Exploitation Less Likely.” This is usually due to the complexity required to deliver and exploit the vulnerability.

CVE-2020-1248 is a GDI+ remote code execution vulnerability that would give the attacker the same rights as the logged-on user. It requires a user to access a malicious webpage or to open a document sent via email or file sharing to execute the vulnerability. The fix addresses how Graphics Device Interface handles memory. This vulnerability affects the most recent versions of Windows 10 (1903, 1909, and the newly released 2004) and the corresponding Server Core systems. The vulnerability is only listed as “Important” on version 2004, which means there were likely some changes in that area of the code in version 2004 that mitigate the risk.

The next one, CVE-2020-1281, is a vulnerability in Object Linking (OLE) that would allow an attacker to execute code on a system if a user accesses a file or program on that system. This vulnerability affects all supported versions of Windows, including Windows 7 and Server 2008, all the way up to the most recent versions of Windows 10 and Windows Server (including Core). This means you will need ESU to update Windows 7 and Server 2008.

There is a Windows Shell file path validation issue that would allow an attacker to execute code with the same permissions as the user. CVE-2020-1286 fixes this vulnerability in Windows 10 (version 1709 up to 2004, including corresponding Server versions).

CVE-2020-1299 would also grant the attacker the same rights as the logged-on user if they were to click on a malicious .LNK file in a remote share or removable drive. This patch addresses how the shortcut is processed.

Finally, CVE-2020-1300 is a vulnerability in Windows that would allow an attacker to execute remote code if the user opened a cabinet file on the affected system.

Browsers

It seems this month that Microsoft has more concern with the browser-based vulnerabilities, as several of them are marked “Exploitation More Likely.” First up is a trio of VBScript remote code execution vulnerabilities in Internet Explorer.

CVE-2020-1260, CVE-2020-1213, and CVE-2020-1216 have identical descriptions and exploitability assessments. Accessing a malicious website or an ActiveX control in Microsoft 365 that uses the IE engine for rendering could grant the attacker the same rights as the user. They all affect Internet Explorer 11 on all supported operating systems, and Internet Explorer 9 on Server 2008 systems. As with most browser vulnerabilities, they are rated as Moderate on the Server operating systems because of the enhanced security configuration that browsers come configured with when installed on Server.

CVE-2020-1219 is a browser memory corruption vulnerability in Internet Explorer 11, as well as the Edge-HTML version of the Edge Browser. It would also grant the attacker the same rights as the user and is marked as “Exploitation More Likely.”

The final “Critical” browser vulnerability is marked as “Exploitation Less Likely.” CVE-2020-1073 is a scripting engine memory corruption vulnerability and affects the Edge-HTML version of Microsoft Edge on Windows 10 1709 up to 1909 (including Server versions).

Other applications

The final “Critical” affects SharePoint Server. CVE-2020-1181 is a remote code execution vulnerability. If an attacker has access, they could create a specially crafted page on SharePoint 2010 SP2, SharePoint Foundation 2013 SP1, SharePoint Enterprise 2016, or SharePoint Server 2019.

Finally, Microsoft released an advisory for Adobe products, ADV200010 for Adobe Flash components in Windows 8.1 up to current versions of Windows 10. IT should be noted that this is a separate update from the cumulative updates and should be given attention.

Other notable issues

We often direct our focus to the “Critical” updates, but sometimes you can find some updates of concern in the “Important” vulnerabilities as well. If you’re prioritizing only certain types of updates, you should consider adding “Important” to your criteria, as there are sometimes some hidden “high-risk” vulnerabilities in that group. There are a few of note we will discuss here:

CVE-2020-1301 is a Windows SMB remote code execution vulnerability, and it’s listed as “Exploitation More Likely.” It affects SMBv1 in all supported operating systems from Windows 7 up to Windows 10 current version (2004) and all corresponding server versions. If this sounds familiar, it’s a vulnerability in the same area the famous ShadowBrokers mass-released exploits for in 2017, and was the vector for the WannaCry and NotPetya attacks that year. This vulnerability doesn’t quite meet that level of risk though—mainly because this one requires authentication, while WannaCry did not. It’s important to note that even Microsoft recommends you disable SMBv1, as the protocol is 30 years old and most communications and applications have moved to SMBv2 or v3 by now. If you have SMBv1 enabled, you should disable it immediately, as this will likely not be the end of vulnerabilities found in the protocol.  If you cannot disable it, you should deploy updates immediately. The instructions on how to disable it are included in the Workarounds section of the article.

CVE-2020-1241 is also listed as “Exploitation More Likely.” It’s a vulnerability in the kernel that would allow an attacker to bypass security but requires access to the affected system. This fact gives this vulnerability a lower CVSS score, but clearly Microsoft suspects bad actors may attempt to leverage this vulnerability in the future. Windows 10 from 1607 to 2004 (including Server versions) are affected by this vulnerability.

CVE-2020-1247 and CVE-2020-1251  are both Windows kernel-mode driver vulnerabilities that would require an attacker to log on to the affected system, but Microsoft has also listed this one as “Exploitation More Likely.” CVE-22020-1247 affects all versions of Windows from Windows 7 to current (including Server), while CVE-2020-1251 affects Windows 8.1 to current versions of Windows 10.

The final “Important” vulnerability listed as “Exploitation More Likely” is found in Internet Explorer 11 on all supported operating systems. CVE-2020-1230 would grant the attacker the same rights as the user if they accessed a malicious webpage or opened a document in Office where the IE rendering engine was used.

27 Vulnerabilities were fixed in Windows 7 based operating systems—falling under the Extended Security Updates (ESU) required to continue getting fixes. If you’re running this operating system, we recommend you purchase ESU or upgrade to a supported operating system.

Summary

From a priority standpoint, browsers and internet-facing workstations should take priority and then SharePoint. If you haven’t disabled SMBv1 yet across your systems, you should do that this month. The good news: since version 1709 of Windows 10, Microsoft hasn’t installed SMBv1 by default on a new installation. However, you could have installed and enabled it yourself. If you’re running Windows 7, this is another good reason to move to a supported (and more secure) operating system.

Remember, if you’re running Windows 10 or the corresponding server operating system, the Cumulative update will contain all the fixes for the operating system and the browsers. Older operating systems require you either install the updates separately or install the Rollups.

It’s another “heavy” month of vulnerabilities in the world of Windows, so make sure you’re up to date. When looking at the themes for attack vectors in all the vulnerabilities we’ve discussed, I keep coming back to one point: since it can take time to deploy patches across an IT estate, it’s always important to ensure other layers of protection are in place. For example, many of the vulnerabilities mention email as a vector but your email security solution shouldn’t allow attachments such as .LNK and .CAB files. Limiting access to malicious websites with web protection reduces the risk of an attempted exploit. Disabling SMBv1 greatly reduces the risk of a successful attack. Combining these with a timely patch deployment plan helps ensure you’re protecting yourself and your customers.

Let’s stay safe out there!

Gill Langston is head security nerd for SolarWinds MSP. You can follow Gill on Twitter at @cybersec_nerd