For the third consecutive month Microsoft issued a hefty list of Patch Tuesday security updates covering 111 CVEs with 16 making the critical list.
This is the third month Microsoft has had more than 100 vulnerabilities listed in its monthly security rollup, but unlike the last few months, May’s list does not contain any vulnerabilities currently being exploited in the wild.
However, there are several issues security experts believe need to be highlighted.
Dustin Childs or Trend Micro’s Zero Day Initiative pulled out CVE-2020-1071 and CVE-2020-1118 for special attention. The first is a Windows remote access common dialog elevation of privilege flaw that does have the drawback of the attacker needing physical access to the device and boot it to the login screen in order to exploit. However, if this is possible run arbitrary code with elevated privileges.
CVE-2020-1118 covers a null pointer dereference issue that can be exploited to create a denial of service condition.
“An attacker can exploit this vulnerability by sending a malicious Client Key Exchange message during a TLS handshake. The vulnerability affects both TLS clients and TLS servers, so just about any system could be shut down by an attacker. Either way, successful exploitation will cause the lsass.exe process to terminate,” Childs said.
Satnam Narang, staff research engineer at Tenable, highlighted CVE-2020-1117 in Microsoft Color Management and CVE-2020-1126 in Microsoft Color Management. Both require a user be tricked into opening a malicious email or visiting a compromised website.
“Successful exploitation would allow an attacker to perform actions on the system using the same permissions as the current user that was compromised. If the user has administrative privileges, the attacker could then perform a variety of actions, such as installing programs, creating a new account with full user rights, and viewing, changing or deleting data,” Narang said, although he noted Microsoft considers exploitation of these problems as less likely.
Another pair of vulnerabilities that can lead to remote code execution are particularly important, said Richard Melick, Sr. technical product manager, Automox, as they impact two very popular Microsoft tools, Visual Studio Code and SharePoint.
Melick noted that Visual Studio Code has about 50 percent of the market shore for developer tools so CVE-2020-1192 requires immediate attention.
The problem here is how Python extension loads workspace settings from a notebook file and if exploited gives an attacker the ability to take control of the target device acting as the current user. At this point the threat actor could steal critical information like source codes, inserting malicious code or backdoors into current projects, and install, modify, or delete data, he said.
CVE-2020-1024 impacts SharePoint, which is gained even more importance as the workforce has left the office for home forcing more online collaboration. If successfully exploited this flaw an attacker the ability to execute arbitrary code from the SharePoint application pool and the SharePoint server farm account, potentially impacting all the users connected into and using the platform.
“In light of a few of the critical vulnerabilities revealed and patched by Microsoft today, it is clear that services that support the expanding workspace are a heavy focus for both attackers and software providers. If enterprises are not responding to and deploying critical patches within 24 hours of release, they could be putting not only those individual, unpatched endpoints at risk but their full network,” Mellick said.
