Patch Tuesday – May 2020

May’s Patch Tuesday sees Microsoft issues fixes for a whopping 111 vulnerabilities, making this month the third biggest set of patches in Microsoft’s history. That said, there are no zero-day flaws. Let’s start with Windows 10 and Windows Server.

Windows 10 and Windows Server

This month there are 5 critical remote code execution (RCE) flaws in Windows 10 patched by Microsoft. 3 are memory corruption vulnerabilities in Windows Media Foundation. Attackers could exploit the vulnerabilities to install programs; view, change, or delete data; or create new accounts with full user rights. Users would need to visit a specially crafted website or open an infected document to fall victim.

The remaining 2 bugs are in the Color Management Module (ICM32.dll) and Microsoft Graphics Components. The ICM32.dll vulnerability could let an attacker create new accounts with full user rights. Users without admin privileges are less likely to be impacted. The Microsoft Graphics Components vulnerability could let an attacker run arbitrary code on the affected system if the user opened a specially crafted file.

Of the remaining 73 patches, which are rated Important, 53 address elevation of privilege (EoP) bugs and 6 RCE flaws. CVE-2020-1067 is an RCE bug that could let an attacker with a domain account run arbitrary code with elevated permissions.

Microsoft Edge and Internet Explorer

Legacy Edge gets three critical patches for 2 RCEs and 1 EoP. There’s one RCE bug rated Important (CVE-2020-1096) in Edge’s PDF reader. It could let an attacker run arbitrary code in the context of the logged in user. Internet Explorer 11 also gets 7 patches this month, 3 of which are rated Critical.

Microsoft Office

Microsoft Office 2019 gets one fix for an Important RCE. A vulnerability in Excel fails to handle objects correctly in memory. An attacker could run arbitrary code in the context of the logged in user. Users without local administrator privileges are less impacted by this bug. A user would need to open a specially crafted file for this flaw to be exploited.

Microsoft Exchange, SharePoint, and SQL Server

There are no security fixes for Exchange Server or SQL Server. SharePoint Server 2016 gets 12 fixes, 4 of which Microsoft rates as Critical. All 4 critical flaws are RCEs. Of the remaining patches, 7 address spoofing issues and 1 an information disclosure problem.

Adobe software

Finally, Adobe Flash Player gets an update but without any security fixes. Adobe Acrobat and Acrobat Reader get 12 fixes, half of which are rated Critical. The critical bugs include arbitrary code execution and security feature bypass flaws.

That is it for another month!