The May issue of the Tuesday edition of Patch was published this week. And there are a lot of safety patches.
Microsoft has released a total of 111 patches, although, as far as we know, none are being used. Sixteen of them received the highest criticism from Microsoft, ranging from remote code execution to privilege escalation.
One of the major software flaws was CVE-2020-1067, a vulnerability to remote code execution (RCE) in all supported versions of Windows. Anyone with a domain user account can use this account for advanced access to the target system. It is considered important, even if it somehow masks the threat.
This solution fixes an error in Windows RCE that could allow an attacker to execute random, high-permission code on affected systems, said Dustin Childs of Trend Micro’s ZDI. The only thing that prevents this is that an attacker needs a domain user account for his specially created request to succeed. This makes the bug an important target for both insider threats and penetration testers who want to expand their presence in the target business.
A single malicious MMS is enough to infiltrate a Samsung smartphone: Bug in a series of patches for Androidbroken
There is a long list of vulnerabilities in Microsoft’s web browser engines, Sharepoint, script interpreters and Visual Studio, which ZDI has summarized here, along with fewer vulnerabilities such as miscalculations in Windows kernel privilege. Basically, these are holes that can be used to open malicious files or malware already running on a PC.
Most of them are related to web browsers or some form of scripting, Childs said. Chakra Core, IE and EdgeHTML receive updates with reviews.
None of the fixed bugs are known or under active attack at the time of publication on the list. This means that Microsoft has released more than 110 CVEs over three consecutive months. Let’s see if they keep this pace all year round.
If you want to delve into some of the more interesting ones, there is the CVE-2020-1118, the weak denial of service for customers and servers handling TLS 1.2CVE-2020-1192, remote code execution in Visual Studio Code Python Extension; CVE-2020-1023, CVE-2020-1024, CVE-2020-1102 and CVE-2020-1069, remote code execution in Sharepoint; CVE-2020-1093, remote code execution in VBScript; and CVE-2020-1153, remote code execution in Microsoft Graphics Components.
If necessary, make sure you have downloaded, tested and deployed patches before someone exploits these vulnerabilities.
Problems with Windows 7
Those who still use Windows 7, and even those who pay Microsoft for support, should be aware of the KB4556399 problem, the .NET security and the quality of updates. Depending on your configuration, it may not be installed.
In Adobe: Two critical error fixes for the CVEseries
These include 36 bugs fixed this month by Adobe in Acrobat and Reader, as well as a normal range of code execution and denial of service bugs that require the document to be opened in order to use it. This time Linux fans are spared because patches are only available for MacOS and Windows computers.
SAP, VMware Critical Errors
In the meantime, SAP administrators will want to correct a number of errors, including CVE-2020-6282 (code injection), note 2622660 (chrome update), CVE-2020-6242 (code injection), and CVE-2020-6219 (de-serialization of unreliable data).
VMware has also released patches for CVE-2020-11651 and CVE-2020-11652, which are authentication and folder browsing vulnerabilities. ®
Webcast : Build a new generation of your business in the public cloud.