Patch Tuesday – June 2020

This month, Microsoft addresses a record 129 CVEs. But the good news is that there are no zero-days to worry about.

Windows 10 and Windows Server

There are 5 critical remote code execution (RCE) flaws patched this month. A bug in the Windows Graphics Device Interface (GDI) could let an attacker take control of affected systems. Microsoft says that users whose accounts have fewer rights are less impacted than local administrators. This flaw could be exploited using a specially crafted website or document. Similar critical RCE bugs patched in Windows fix exploits in Microsoft Windows OLE, .LNK file processing, Windows Shell, and cabinet files.

Legacy EdgeHTML gets 2 critical RCE patches. One in the way ChakraCore handles objects in memory. And the second is a memory corruption vulnerability. Both bugs could let an attacker run arbitrary code with the same rights as the logged in user. So, local administrators are more likely to be impacted on affected systems. Don’t forget that even if you install the new Chromium-based Edge browser, legacy EdgeHTML doesn’t get uninstalled and it needs to be patched.

Similarly, there are 4 critical RCEs patched for Internet Explorer 11. Including the same memory corruption bug fixed for EdgeHTML. Additionally, the remaining bugs are all memory corruption issues with VBScript, potentially allowing an attacker to run arbitrary code in the context of the logged in user. Another reason why users shouldn’t log in with an administrator account.

Server Message Block (SMB) flaws

Following on from SMBGhost, which hackers are now actively exploiting but was patched in an out-of-band update in March, Microsoft plugs another three SMB holes this month. Two are in SMB 3.1.1 and they are likely to be exploited according to Microsoft. The first is a denial-of-service bug and the second is an information disclosure flaw. Both could be exploited remotely by an authenticated user.

The third SMB issue is an RCE flaw in the way SMBv1 handles requests. An authenticated attacker could send a specially crafted packet to an SMBv1 server. But unlike EternalBlue, the flaw used by WannaCry, this latest SMBv1 bug only works if the attacker can authenticate on the server. Interestingly, Microsoft has provided a fix for Windows 7 and Windows Server 2008, both of which are no longer supported.

SMBv1 is a legacy protocol and Microsoft recommends that you disable it in your organization if it isn’t used. You can find more information on Microsoft’s website here about removing SMBv1. Starting in Windows 10 Enterprise and Education, and Windows Server version 1709, assuming a system wasn’t upgraded from a previous version of Windows, SMBv1 is not installed by default. Windows 10 Home and Professional still have the SMBv1 client installed by default after a clean install. But if it isn’t used for 15 days, it is automatically removed.

For more information on default SMBv1 behavior, check out Microsoft’s website here.

Known issues

Microsoft says that this month’s cumulative update for Windows 10 might cause LTE modems to stop working on some systems.

Adobe Flash Player

In a separate update for Adobe Flash Player (KB4561600) being pushed out via Windows Update, Adobe and Microsoft are addressing a critical vulnerability that could let an attacker run arbitrary code in the context of the logged in user.

Microsoft SharePoint, Exchange, and SQL Server

SharePoint Server 2010, 2013, 2016, and 2019 all get an update for a critical RCE flaw where the server doesn’t properly identify and filter unsafe ASP.NET web controls. This bug could be exploited by an authenticated attacker using a specially crafted page to perform actions in the context of the SharePoint application pool process.

Microsoft Office

Finally, Microsoft Office gets a security fix for Outlook where it may not enforce settings correctly. An attacker could use the flaw to load remote images and reveal the IP address of the affected system. A user would need to open a specially crafted image for this bug to be exploited.

That’s it until next month.