June’s Patch Tuesday reveals 23 ways to remotely pwn Windows – and over 100 more bugs that could ruin your day

Patch Tuesday Microsoft has given IT admins and folks another busy Patch Tuesday with 129 security vulnerabilities to address.

The Redmond giant has posted fixes for CVE-listed bugs in its latest monthly security update, including 23 that allow for remote code execution. The massive bundle is not entirely unexpected, as security experts have suggested that vendors are still catching up on their patching and reporting routines.

Of the 129 patches this month, 11 were rated by Microsoft as critical security risks. Fortunately, there are no reports of public exploit code nor in-the-wild attacks on any of the flaws as yet – but remember Exploit Wednesday. Once the bugs are known, and patches available, exploits can be reverse-engineered.

LNK flaws strike again

One of the bugs that was of particular interest to researchers was CVE-2020-1299, a remote code execution issue that arises when trying to load Windows shortcut (LNK) files. This is the third time this year Microsoft has had to address an RCE bug in such shortcuts.

“An attacker could use this vulnerability to get code execution by having an affected system process a specially crafted .LNK file,” explained Dustin Childs of the Trend Micro Zero Day Initiative (ZDI).

“These types of files are often put on a USB drive in an attempt to bridge an air-gapped network.”

Also catching the eye of the ZDI team was CVE-2020-1229, a security bypass bug in Outlook that, while not particularly concerning at first glance, poses a significant risk if chained with other exploits.

“This bug could allow attackers to automatically load remote images – even from within the Preview Pane,” said Childs. “While this bypass alone could just disclose the IP address of a target system, it’s not unheard of to get code execution through the processing of specially crafted images (see any GDI+ bug).”

Other RCE bugs include CVE-2020-1300, which is exploited via a malformed CAB file, and CVE-2020-1286, a Windows Shell bug that can be exploited with malformed web pages or emails.

SharePoint Server admins will want to make sure they test out and install the fix for CVE-2020-1181 as soon as possible in order to prevent remote code execution attacks. Microsoft also patched six SharePoint XSS flaws (CVE-2020-1177, CVE-2020-1183, CVE-2020-1297, CVE-2020-1298, CVE-2020-1318, CVE-2020-1320), two elevation of privilege flaws (CVE-2020-1295, CVE-2020-1178), and three spoofing bugs (CVE-2020-1148, CVE-2020-1289, CVE-2020-1323).

As usual, VBScript (CVE-2020-1213, CVE-2020-1216, CVE-2020-1260) and the ChakraCore Scripting Engine (CVE-2020-1073) were also among the recipients of critical remote code execution fixes.

While Microsoft tends not to consider Office and multimedia RCE bugs to be critical risks because users need to manually open files in order to trigger an attack, admins should put a priority on testing and patching the updates for Jet Database (CVE-2020-1208, CVE-2020-1236), Media Foundation (CVE-2020-1238, CVE-2020-1239), Excel (CVE-2020-1225, CVE-2020-1226), Office (CVE-2020-1321), VBScript (CVE-2020-1214, CVE-2020-1215, CVE-2020-1230), and SMB (CVE-2020-1301).

Those running word on Android will also want to make sure they update their software, as Microsoft issued a patch for CVE-2020-1223, a remote code execution flaw.

Haven’t killed Flash yet? In that case you’ll want this Adobe patch

Adobe has issued a fix for a single remote code execution hole in its aging Flash Player plugin. CVE-2020-9633 is a use-after-free bug present in the Windows, macOS, Linux, and ChromeOS versions of Flash Player. Adobe did not say who found the flaw.

Also updated was the Adobe Experience Manager, an ad management tool. The fix addresses six CVE-listed vulnerabilities (CVE-2020-9643, CVE-2020-9647, CVE-2020-9648, CVE-2020-9644, CVE-2020-9645, CVE-2020-9651) allowing for information disclosure and arbitrary JavaScript execution. Netcentric’s Thomas Hartmann found CVE-2020-9644, while indie researcher Dmitry Muntyanov got credit for CVE-2020-9645.

The third of the updates was given to Adobe Framemaker to clean up up three arbitrary code execution bugs (CVE-2020-9636, CVE-2020-9634, CVE-2020-9635). Adobe credits ZDI researcher Francis Provencher with reporting CVE-2020-9634 and CVE-2020-9635, while Honggang Ren of Fortiguard Labs found CVE-2020-9636.

Five Intel updates, including a re-hash of CacheOut bug

Chipzilla is now part of the Patch Tuesday as well, so everyone using Intel hardware will want to check out the fixes for flaws in Innovation Engine (CVE-2020-8675, elevation of privilege via the firmware build and signing tool) and Special Register Buffer (CVE-2020-0543, information disclosure caused by incomplete register data cleanup). This speculative execution vulnerability, dubbed SGAxe [PDF], is a new take on the CacheOut vulnerability.

A single bulletin was issued to address 20 different vulnerabilities in CSME, SPS, TXE, AMT, ISM, and DAL. The bugs have a number of sources, including the IPv6 subsystem, improper input validation, and a one-way hash in CSME.

Exploits could allow for denial of service, information disclosure, and elevation of privilege, the latter being particularly bad in the context of Intel firmware.

Intel also issued updates, for its BIOS (CVE-2020-0528, denial of service or elevation of privilege via improper buffer restrictions) and SSD firmware (CVE-2020-0527, information disclosure from insufficient control flow management).

SAP pushes 17 updates

Those admins looking over SAP installations will want to check if their software is included in the lineup of 17 June security notes, including fixes to Apache Tomcat (CVE-2020-1938), two fixes for SAP Commerce (CVE-2020-6265, CVE-2020-6264), SAP Success Factors (CVE-2020-6279), and NetWeaver (CVE-2020-6275). ®

Sponsored: Webcast: Ransomware has gone nuclear

READ MORE HERE