Patch Tuesday May 2020
May’s Patch Tuesday sees Microsoft issues fixes for a whopping 111 vulnerabilities, making this month the third biggest set of patches in Microsoft’s history. That said, there are no zero-day flaws. Let’s start with Windows 10 and Windows Server.
Windows 10 and Windows Server
This month there are 5 critical remote code execution (RCE) flaws in Windows 10 patched by Microsoft. 3 are memory corruption vulnerabilities in Windows Media Foundation. Attackers could exploit the vulnerabilities to install programs; view, change, or delete data; or create new accounts with full user rights. Users would need to visit a specially crafted website or open an infected document to fall victim.
The remaining 2 bugs are in the Color Management Module (ICM32.dll) and Microsoft Graphics Components. The ICM32.dll vulnerability could let an attacker create new accounts with full user rights. Users without admin privileges are less likely to be impacted. The Microsoft Graphics Components vulnerability could let an attacker run arbitrary code on the affected system if the user opened a specially crafted file.
Of the remaining 73 patches, which are rated Important, 53 address elevation of privilege (EoP) bugs and 6 RCE flaws. CVE-2020-1067 is an RCE bug that could let an attacker with a domain account run arbitrary code with elevated permissions.
Microsoft Edge and Internet Explorer
Legacy Edge gets three critical patches for 2 RCEs and 1 EoP. There’s one RCE bug rated Important (CVE-2020-1096) in Edge’s PDF reader. It could let an attacker run arbitrary code in the context of the logged in user. Internet Explorer 11 also gets 7 patches this month, 3 of which are rated Critical.
Microsoft Office 2019 gets one fix for an Important RCE. A vulnerability in Excel fails to handle objects correctly in memory. An attacker could run arbitrary code in the context of the logged in user. Users without local administrator privileges are less impacted by this bug. A user would need to open a specially crafted file for this flaw to be exploited.
Microsoft Exchange, SharePoint, and SQL Server
There are no security fixes for Exchange Server or SQL Server. SharePoint Server 2016 gets 12 fixes, 4 of which Microsoft rates as Critical. All 4 critical flaws are RCEs. Of the remaining patches, 7 address spoofing issues and 1 an information disclosure problem.
Finally, Adobe Flash Player gets an update but without any security fixes. Adobe Acrobat and Acrobat Reader get 12 fixes, half of which are rated Critical. The critical bugs include arbitrary code execution and security feature bypass flaws.
That is it for another month!
More in Windows 10
Microsoft Stops Selling Windows 10 Digital Downloads
Feb 1, 2023 | Rabia Noureen
Microsoft Offers Temporary Fix for Start menu or UWP App Freezing Issues on Windows 11 and 10
Jan 26, 2023 | Rabia Noureen
Microsoft to End Sale of Windows 10 Home and Pro Licenses This Month
Jan 19, 2023 | Rabia Noureen
Microsoft Releases a Script to Recover Some Windows App Shortcuts Deleted on Friday 13
Jan 16, 2023 | Rabia Noureen
[Updated] Microsoft to Fix Defender Bug Deleting Windows Apps Shortcuts from Taskbar
Jan 13, 2023 | Rabia Noureen
Microsoft FastTrack Now Helps IT Admins Deploy Windows Autopatch at No Additional Cost
Jan 13, 2023 | Rabia Noureen
Most popular on petri