Windows 10

Patch Tuesday – May 2020

May’s Patch Tuesday sees Microsoft issues fixes for a whopping 111 vulnerabilities, making this month the third biggest set of patches in Microsoft’s history. That said, there are no zero-day flaws. Let’s start with Windows 10 and Windows Server.

Windows 10 and Windows Server

This month there are 5 critical remote code execution (RCE) flaws in Windows 10 patched by Microsoft. 3 are memory corruption vulnerabilities in Windows Media Foundation. Attackers could exploit the vulnerabilities to install programs; view, change, or delete data; or create new accounts with full user rights. Users would need to visit a specially crafted website or open an infected document to fall victim.

The remaining 2 bugs are in the Color Management Module (ICM32.dll) and Microsoft Graphics Components. The ICM32.dll vulnerability could let an attacker create new accounts with full user rights. Users without admin privileges are less likely to be impacted. The Microsoft Graphics Components vulnerability could let an attacker run arbitrary code on the affected system if the user opened a specially crafted file.

Of the remaining 73 patches, which are rated Important, 53 address elevation of privilege (EoP) bugs and 6 RCE flaws. CVE-2020-1067 is an RCE bug that could let an attacker with a domain account run arbitrary code with elevated permissions.

Sponsored Content

Devolutions Remote Desktop Manager

Devolutions RDM centralizes all remote connections on a single platform that is securely shared between users and across the entire team. With support for hundreds of integrated technologies — including multiple protocols and VPNs — along with built-in enterprise-grade password management tools, global and granular-level access controls, and robust mobile apps to complement desktop clients.

Microsoft Edge and Internet Explorer

Legacy Edge gets three critical patches for 2 RCEs and 1 EoP. There’s one RCE bug rated Important (CVE-2020-1096) in Edge’s PDF reader. It could let an attacker run arbitrary code in the context of the logged in user. Internet Explorer 11 also gets 7 patches this month, 3 of which are rated Critical.

Microsoft Office

Microsoft Office 2019 gets one fix for an Important RCE. A vulnerability in Excel fails to handle objects correctly in memory. An attacker could run arbitrary code in the context of the logged in user. Users without local administrator privileges are less impacted by this bug. A user would need to open a specially crafted file for this flaw to be exploited.

Microsoft Exchange, SharePoint, and SQL Server

There are no security fixes for Exchange Server or SQL Server. SharePoint Server 2016 gets 12 fixes, 4 of which Microsoft rates as Critical. All 4 critical flaws are RCEs. Of the remaining patches, 7 address spoofing issues and 1 an information disclosure problem.

Adobe software

Finally, Adobe Flash Player gets an update but without any security fixes. Adobe Acrobat and Acrobat Reader get 12 fixes, half of which are rated Critical. The critical bugs include arbitrary code execution and security feature bypass flaws.

That is it for another month!

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
The World’s Most Comprehensive Teams to Teams Migration Checklist

Whether you have just started thinking about migration or have already begun to move, our Microsoft Teams Migration Checklist can help guide you through the different phases for a Teams migration to another tenant.

This detailed six-step guide will walk you through key decision points while also providing more prescriptive best practice recommendations where appropriate.

Discover key insights for the following phases of a Teams migration: 

  • Discovery
  • Pilot
  • Planning
  • Communication
  • Execution
  • Validation

Sponsored by: