Microsoft has released fixes for 111 security vulnerabilities in its May Patch Tuesday update, including 16 critical bugs and 96 that are rated important.
Unlike other recent monthly updates from the computing giant this year, none of the flaws are publicly known or under active attack at the time of release.
Along with the expected cache of operating system, browser, Office and SharePoint updates, Microsoft has also released updates for .NET Framework, .NET Core, Visual Studio, Power BI, Windows Defender, and Microsoft Dynamics.
Privilege-Escalation Bugs to the Fore
The majority of the fixes are important-rated elevation-of-privilege (EoP) bugs. There are a total of 56 of these types of fixes in Microsoft’s May release, primarily impacting various Windows components. This class of vulnerabilities is used by attackers once they’ve managed to gain initial access to a system, in order to execute code on their target systems with elevated privileges.
Three of these bugs have received a rating of “Exploitation More Likely,” pointed out Satnam Narang, staff research engineer at Tenable: A pair of flaws in Win32k (CVE-2020-1054, CVE-2020-1143) and one in the Windows Graphics Component (CVE-2020-1135).
The two flaws in Win32k both exist when the Windows kernel-mode driver fails to properly handle objects in memory, according to Microsoft’s advisory. An attacker who successfully exploited either vulnerability could run arbitrary code in kernel mode; thus, an attacker could then install programs; view, change or delete data; or create new accounts with full user rights.
To exploit these, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
The Windows Graphics Component EoP bug meanwhile is found in most Windows 10 and Windows Server builds, Jay Goodman, strategic product marketing manager at Automox, told Threatpost. “The vulnerability could allow an exploit that leverages how Windows Graphics handles objects in memory,” he said. “An attacker could use this vulnerability to elevate a process’ privileges, allowing the attacker to steal credentials or sensitive data, download additional malware, or execute malicious code.”
It was demonstrated at this year’s Pwn2Own, said Dustin Childs, researcher at Trend Micro’s Zero-Day Initiative.
“While Pwn2Own may have been virtual this year, the bugs demonstrated certainly were not,” he said in a Patch Tuesday analysis. “This bug from the Fluoroacetate duo of Richard Zhu and Amat Cama allows a logged-on user to take over a system by running a specially crafted program. They leveraged a use-after-free (UAF) bug in Windows to escalate from a regular user to SYSTEM.”
There is also one critical EoP bug, in Microsoft Edge (CVE-2020-1056). This exists because Edge does not properly enforce cross-domain policies, which could allow an attacker to access information from one domain and inject it into another domain, according to Microsoft’s advisory. However, in all cases an attack requires user interaction, such as tricking users into clicking a link that takes them to the attacker’s site.
“In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit the vulnerability,” it said. “In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit the vulnerability.”
Critical Patches to Consider
Other bugs of note include two remote code execution (RCE) flaws in Microsoft Color Management (CVE-2020-1117) and Windows Media Foundation (CVE-2020-1126), which could both be exploited by tricking a user via social engineering techniques into opening a malicious email attachment or visiting a website that contains the exploit code.
“Successful exploitation would allow an attacker to perform actions on the system using the same permissions as the current user that was compromised,” said Tenable’s Narang. “If the user has administrative privileges, the attacker could then perform a variety of actions, such as installing programs, creating a new account with full user rights, and viewing, changing or deleting data.”
The critical flaws also include updates for Chakra Core, Internet Explorer and EdgeHTML, while SharePoint has four critical bugs, continuing its dominance in that category from last month.
“Most of the critical vulnerabilities are resolved by the OS and browser updates, but there are four critical vulnerabilities in SharePoint and one in Visual Studio,” Todd Schell, senior product manager, security, for Ivanti said via email.
On the SharePoint front, CVE-2020-1023 and CVE-2020-1102 are critical RCE vulnerabilities that would allow attackers to access a system and read or delete contents, make changes, or directly run code on the system.
“This gives an attacker quick and easy access to not only your organization’s most critical data stored in the SQL server but also a platform to perform additional malicious attacks against other devices in your environment,” Automox’ Goodman told Threatpost. “Systems like SharePoint can often be difficult to take offline and patch, allowing RCE vulnerabilities to linger in your infrastructure. This gives attackers the ability to ‘live off the land’ and move laterally easily once access is gained via an existing exploit.
Also in SharePoint, an exploit for CVE-202-1024 would give an attacker the ability to execute arbitrary code from the SharePoint application pool and the SharePoint server farm account, potentially impacting all the users connected into and using the platform.
“If an attacker is able to access this critical component of the network, lateral movement throughout the connected filesystems would be difficult to contain,” said Richard Melick, Sr., technical product manager at Automox, via email. “With Microsoft SharePoint’s rise in use to support remote workers, addressing this vulnerability quickly is critical to securing a central hub of access to the full corporate network and data.”
As for Visual Studio, “users of the Visual Studio Code Python Extension should take note of the two patches released this month,” Childs noted, which are both RCE issues. “One is rated critical [CVE-2020-1192] while the other is rated important [CVE-2020-1171]. There’s no indication as to why one is more severe than the other, and users should treat them both as critical.”
Other Bugs of Note
When exploited, both could allow an attacker to gain the same right as the current user.
“While both CVE-2020-1058 and CVE-2020-1060 are not rated critical in severity, it’s very possible to see them used by attackers in the wild; both vulnerabilities impact VBScript and how the scripting engine handles objects in memory,” Chris Hass, director of information security and research for Automox, told Threatpost. “Due to the versatility of VBScript in Windows, these vulnerabilities allow for several attack vectors to be explored by malicious actors.”
For instance, an attacker could host a malicious webpage with a specially crafted payload to exploit any user visiting the page using Internet Explorer, inject code into a compromised webpage, or even launch a malvertising campaign to serve the payload via malicious advertisements on popular websites, he said.
He added, “An attacker could also embed an Active X control object in an application or Office document that could be used in a phishing campaign to gain code execution on the machine. It’s likely only a matter of time till attackers, such as DarkHotel, incorporate these into their arsenal.” DarkHotel has been known to use VBScript bugs in the past.
There’s also an interesting denial-of-service vulnerability (CVE-2020-1118) in Microsoft Windows Transport Layer Security. It allows a remote, unauthenticated attacker to abnormally reboot, resulting in a denial-of-service condition.
“A NULL pointer dereference vulnerability exists in the Windows implementation of the Diffie-Hellman protocol,” explained Childs. “An attacker can exploit this vulnerability by sending a malicious Client Key Exchange message during a TLS handshake. The vulnerability affects both TLS clients and TLS servers, so just about any system could be shut down by an attacker. Either way, successful exploitation will cause the lsass.exe process to terminate.”
In terms of patching prioritization, “What is interesting and often overlooked is seven of the 10 CVEs at higher risk of exploit are only rated as important,” Ivanti’s Schell said. “It is not uncommon to look to the critical vulnerabilities as the most concerning, but many of the vulnerabilities that end up being exploited are rated as important vs. critical. If your prioritization stops at vendor severity or even CVSS scores above a certain level, you may want to reassess your metrics. Look to other risk metrics like publicly disclosed, exploited (obviously) and exploitability assessment (Microsoft specific) to expand your prioritization process.”
Melick added that the critical bug in Visual Studio Code, which stems from how the Python extension loads workspace settings from a notebook file, should be a top priority, given that it’s one of the most popular developer environment tools.
“Accounting for over 50 percent of the market share of developer tools, an attacker is not short of potential targets, and if successful, would have the ability to take control of the victim machine acting as the current user,” he said. “Once an attacker has gained access, they could be capable of stealing critical information like source codes, inserting malicious code or backdoors into current projects, and install, modify or delete data. Due to the importance and popularity of Visual Studio Code, it is critical that organizations deploy this patch within 24 hours before this vulnerability is weaponized and deployed.”
Microsoft has been on a bug-fixing roll lately; this month marks three months in a row that Microsoft has released patches for more than 110 CVEs.
“We’ll see if they maintain that pace throughout the year,” said Childs.
Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.
Also, don’t miss our latest on-demand webinar from DivvyCloud and Threatpost, A Practical Guide to Securing the Cloud in the Face of Crisis, with critical, advanced takeaways on how to avoid cloud disruption and chaos.