Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
Windows 10

Patch Tuesday – May 2020

May’s Patch Tuesday sees Microsoft issues fixes for a whopping 111 vulnerabilities, making this month the third biggest set of patches in Microsoft’s history. That said, there are no zero-day flaws. Let’s start with Windows 10 and Windows Server.

Windows 10 and Windows Server

This month there are 5 critical remote code execution (RCE) flaws in Windows 10 patched by Microsoft. 3 are memory corruption vulnerabilities in Windows Media Foundation. Attackers could exploit the vulnerabilities to install programs; view, change, or delete data; or create new accounts with full user rights. Users would need to visit a specially crafted website or open an infected document to fall victim.

The remaining 2 bugs are in the Color Management Module (ICM32.dll) and Microsoft Graphics Components. The ICM32.dll vulnerability could let an attacker create new accounts with full user rights. Users without admin privileges are less likely to be impacted. The Microsoft Graphics Components vulnerability could let an attacker run arbitrary code on the affected system if the user opened a specially crafted file.

Of the remaining 73 patches, which are rated Important, 53 address elevation of privilege (EoP) bugs and 6 RCE flaws. CVE-2020-1067 is an RCE bug that could let an attacker with a domain account run arbitrary code with elevated permissions.

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

Microsoft Edge and Internet Explorer

Legacy Edge gets three critical patches for 2 RCEs and 1 EoP. There’s one RCE bug rated Important (CVE-2020-1096) in Edge’s PDF reader. It could let an attacker run arbitrary code in the context of the logged in user. Internet Explorer 11 also gets 7 patches this month, 3 of which are rated Critical.

Microsoft Office

Microsoft Office 2019 gets one fix for an Important RCE. A vulnerability in Excel fails to handle objects correctly in memory. An attacker could run arbitrary code in the context of the logged in user. Users without local administrator privileges are less impacted by this bug. A user would need to open a specially crafted file for this flaw to be exploited.

Microsoft Exchange, SharePoint, and SQL Server

There are no security fixes for Exchange Server or SQL Server. SharePoint Server 2016 gets 12 fixes, 4 of which Microsoft rates as Critical. All 4 critical flaws are RCEs. Of the remaining patches, 7 address spoofing issues and 1 an information disclosure problem.

Adobe software

Finally, Adobe Flash Player gets an update but without any security fixes. Adobe Acrobat and Acrobat Reader get 12 fixes, half of which are rated Critical. The critical bugs include arbitrary code execution and security feature bypass flaws.

That is it for another month!

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: