May 2020 Patch Tuesday Update: 111 CVE Numbers Addressed

This month’s Patch Tuesday release contains 111 total CVE numbers addressed, with 16 of them listed as “Critical.” Unlike the past few months, there are no vulnerabilities listed as “Exploit Detected” by Microsoft. The “Critical” vulnerabilities this month affect Windows operating systems, browsers, SharePoint, and Visual Studio Code.

Operating systems

There are five operating system vulnerabilities marked “Critical” this month. Let’s start off with CVE-2020-1153, since it has a listing of “Exploitation More Likely” on older operating systems. This is a Graphics Component Remote Code Execution Vulnerability where a user would have to open a specially crafted file. This would allow the attacker to execute code on the system. For current versions of Windows 10, it is listed as “Exploitation Less Likely,” but for Windows 7, 8.1, and Windows Server 2008 and 2012 it has an “Exploitation More Likely” rating.

Next up is a Windows Media Foundation Memory Corruption Vulnerability, CVE-2020-1028. This vulnerability would require a user to open a crafted document or visit a malicious webpage and would grant the attacker full rights to the system. It affects all versions of Windows 10, as well as Server 2016 up to 2019, including Core versions.

Here is an area we have not seen a vulnerability in for some time—Microsoft Color Management Remote Code Execution Vulnerability is marked with CVE-2020-1117. The vulnerability is in how ICM32.dll handles memory. Opening a malicious website would allow the attacker to gain the same rights as the logged-on user, so accounts that do not have administrative rights would be less affected, according to Microsoft.

Finally, we have a pair of Media Foundation Memory Corruption vulnerabilities. Both are rated as “Exploitation Less Likely” and require a user to open a malicious document or visit a malicious webpage. CVE-2020-1126 affects Windows 10 and Server 2016/2019, while CVE-2020-1136 affects those operating systems, plus Windows 7, 8.1, and Server 2008/R2 and 2012/R2

Browsers

There are six “Critical” vulnerabilities in browsers, with some of the usual suspects from many of the last Patch Tuesdays as well.

CVE-2020-1062 is an Internet Explorer Memory Corruption Vulnerability that Microsoft lists as “Exploitation More Likely.” It requires the users to visit a malicious website or can be served from a malicious advertisement on a legitimate website. It gives the attacker the same rights as the logged-on user. This affects all IE 11 installations, and IE9 on Server 2008

The VBScript Remote Code Execution Vulnerability found in Internet Explorer 11 would be exploited by a user visiting a malicious website, or through an ActiveX control in an Office document. It is listed as CVE-2020-1093

CVE-2020-1037, affects the Edge-HTML version of Microsoft Edge, and is listed as “Exploitation Less Likely.”

CVE-2020-1056 is a Microsoft Edge Elevation of Privilege Vulnerability that would allow an attacker to elevate privilege across domains if it were exploited by a user visiting a malicious website and is found in Edge-HTML versions of Microsoft Edge.

Another Edge-HTML vulnerability is the Scripting Engine Memory Corruption Vulnerability, but this one would require the user to be tricked into editing a specially crafted file, which is unlikely for most users.

The Scripting Engine Memory Corruption Vulnerability from CVE-2020-1065 would grant the attacker the same rights as the user. This is also in the Edge-HTML version of Microsoft Edge.

Other applications

There were four “Critical” vulnerabilities patched for SharePoint this month, affecting slightly different versions, depending on the vulnerability. They are all remote code execution vulnerabilities.

CVE-2020-1023 and CVE-2020-1024 are both Found in SharePoint Enterprise Server 2016, Foundation 2013 SP1, and SharePoint Server 2019. They would require a user who has access to SharePoint to upload a specially crafted application package to the vulnerable server. They are listed as “Exploitation Less Likely.” CVE-2020-1102 has the same description, but only affects the 2016 and 2019 versions of SharePoint.

The last SharePoint vulnerability requires a bad actor to create and invoke a specially crafted page on a SharePoint server. It is listed as CVE-2020-1069 and is rated as “Exploitation Less Likely.”

The final “Critical” is a Visual Studio Code Python Extension Remote Code Execution Vulnerability listed as CVE-2020-1192. It would require a user to open a specially crafted file in Visual Studio Code with the Python extension installed.

Other notable vulnerabilities

Microsoft also released fixes for vulnerabilities in PowerBI Report Server and Microsoft Dynamics this month, but they are labeled as “Important.”

It should be noted that Microsoft also released some “out of band” patches on April 21 for Office, 3D Viewer, and Paint 3D products. They are covered in ADV200004 and reference the Autodesk FBX Library, and how it handles 3D content.

Summary

With no 0-days or emergencies at time of writing, taking an approach of first patching user-facing devices such as workstations and then servers in your next maintenance/downtime window is recommended. Then turn focus to SharePoint and Office components. As always, you may note that many of these vulnerabilities reference malicious websites and files that are often delivered through emails. Endpoint protection, web protection, and email protection are the other pillars of a layered security approach that will help mitigate risk until the patches can be approved and deployed.

On another note, there are 26 vulnerabilities fixed this month that apply to devices under an ESU agreement. So, if you are still running Windows 7 and Server 2008, it is recommended that you either purchase an extended security update agreement or make plans to move to a supported operating system.

Let’s stay safe out there!

 

Gill Langston is head security nerd for SolarWinds MSP. You can follow Gill on Twitter at @cybersec_nerd