Microsoft has released patches for 129 vulnerabilities as part of its June Patch Tuesday updates – the highest number of CVEs ever released by Microsoft in a single month.
Within the blockbuster security update, 11 critical remote code-execution flaws were patched in Windows, SharePoint server, Windows Shell, VBScript and other products. Unlike other recent monthly updates from Microsoft, its June updates did not include any zero-day vulnerabilities being actively attacked in the wild.
“For June, Microsoft released patches for 129 CVEs covering Microsoft Windows, Internet Explorer (IE), Microsoft Edge (EdgeHTML-based and Chromium-based in IE Mode), ChakraCore, Office and Microsoft Office Services and Web Apps, Windows Defender, Microsoft Dynamics, Visual Studio, Azure DevOps, and Microsoft Apps for Android,” according to Dustin Childs, with Trend Micro’s Zero Day Initiative, in a Tuesday post. “This brings the total number of Microsoft patches released this year to 616 – just 49 shy of the total number of CVEs they addressed in all of 2017.”
Microsoft’s June Patch Tuesday volume beats out the update from May, where it released fixes for 111 security flaws, including 16 critical bugs and 96 that are rated important.
Satnam Narang, staff research engineer at Tenable, told Threatpost that a trio of fixes stuck out in the Patch Tuesday updates, for flaws in Microsoft Server Message Block (SMB). Two of these flaws exist in Microsoft Server Message Block 3.1.1 (SMBv3). All three vulnerabilities are notable because they’re rated as “exploitation more likely” based on Microsoft’s Exploitability Index.
The two flaws in SMBv3 include a denial-of-service vulnerability (CVE-2020-1284) and an information-disclosure vulnerability (CVE-2020-1206), both of which can be exploited by a remote, authenticated attacker.
Narang said the flaws “follow in the footsteps” of CVE-2020-0796, a “wormable” remote code execution flaw in SMBv3 that was patched back in March, dubbed “SMBGhost.” CISA recently warned that the release of a fully functional proof-of-concept (PoC) for SMBGhost could soon spark a wave of cyberattacks.
The third vulnerability patched in Microsoft SMB, CVE-2020-1301, is a remote code-execution vulnerability that exists in the way SMBv1 handles requests. To exploit the flaw, an attacker would need to be authenticated and to send a specially crafted packet to a targeted SMBv1 server.
Narang said this flaw “might create a sense of déjà vu” for another remote code-execution vulnerability in SMBv1, EternalBlue, which was used in the WannaCry 2017 ransomware attacks.
“However, the difference between these two is that EternalBlue could be exploited by an unauthenticated attacker, whereas this flaw requires authentication, according to Microsoft,” he said. “This vulnerability affects Windows 7 and Windows 2008, both of which reached their end of support in January 2020. However, Microsoft has provided patches for both operating systems.”
Various critical remote code-execution flaws were discovered in VBScript, Microsoft’s Active Scripting language that is modeled on Visual Basic (CVE-2020-1214, CVE-2020-1215, CVE-2020-1216, CVE-2020-1230, CVE-2020-1260). The flaws exist in the way that the VBScript engine handles objects in memory; an attacker could corrupt memory in such a way that allows them to execute arbitrary code in the context of the current user.
In a real-life attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website.
“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” said Microsoft. “If the current user is logged on with administrative-user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights.”
Other Critical Flaws
Also of note is a critical flaw (CVE-2020-1299) that exists in Microsoft Windows, which could allow remote code-execution if a .LNK file is processed. An .LNK file is a shortcut or “link.” An attacker can embed a malicious .LNK in a removable drive or remote share, and then convince the victim to open the drive or share in Windows Explorer. Then, the malicious binary will execute the code. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user, according to Microsoft.
The update also addressed a Windows critical RCE flaw (CVE-2020-1300) that exists when Microsoft Windows fails to properly handle cabinet files. To exploit the vulnerability, an attacker would have to convince a user to either open a specially crafted cabinet file or spoof a network printer and trick a user into installing a malicious cabinet file disguised as a printer driver, according to Microsoft’s update.
Another critical vulnerability (CVE-2020-1286) exists due to Windows Shell not properly validating file paths. An attacker could exploit the flaw by convincing a user to open a specially crafted file, and then would be able to run arbitrary code in the context of the user, according to Microsoft’s update.
“If the current user is logged on as an administrator, an attacker could take control of the affected system,” said Microsoft. “An attacker could then install programs; view, change or delete data; or create new accounts with elevated privileges. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges.”
A critical flaw (CVE-2020-1181) in SharePoint server was also fixed, stemming from the server failing to properly identify and filter unsafe ASP.Net web controls. The flaw can be abused by an authenticated, remote user who invokes a specially crafted page on an affected version of Microsoft SharePoint Server, allowing them to execute code.
Microsoft also issued updates addressing Windows 10, 8.1 and Windows Server versions affected by a critical, use-after-free Adobe Flash Player flaw (CVE-2020-9633). According to Microsoft, “In a web-based attack scenario where the user is using Internet Explorer for the desktop, an attacker could host a specially crafted website that is designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website.”
Meanwhile, Adobe earlier on Tuesday released patches for four critical flaws in Flash Player and in its Framemaker document processor as part of its regularly scheduled updates. The bugs, if exploited, could enable arbitrary code-execution.