News

Microsoft Security Release for May Delivers Patches for 111 Flaws

• By Kurt Mackie
• 05/12/2020

This month's security patch bundle from Microsoft continued the hefty "Update Tuesday" trend, delivering fixes for approximately 111 common vulnerabilities and exposures (CVEs).

Security researchers sometimes differ on the exact tally, but that count comes from Dustin Childs of Trend Micro's Zero Day Initiative blog, who noted that 16 of the vulnerabilities were rated "Critical" by Microsoft, with 95 deemed "Important." No vulnerabilities in this patch bundle were known to be under active attack.

The 136-page Microsoft Security Guide for May listed a total of 2,720 items (many that repeat items) for those who want to do a hand count.

Affected Microsoft products getting patches  this month include Windows, Windows Defender, Microsoft browsers (IE and Edge), Microsoft Office, .NET Framework, .NET Core, Power BI, Microsoft Dynamics and Visual Studio, per Microsoft's May "Release Notes."

As usual, Microsoft published new Servicing Stack Updates this month, which are used to patch the Windows Update service and rated Critical. They're described in Microsoft's updated Security Advisory ADV990001.

The Microsoft patch load has been rather heavy so far this year. The May release represents the third consecutive patch bundle this year that addresses more than 110 CVEs, Childs noted.

Microsoft's May bundle was described by Greg Wiseman, a senior security researcher at Rapid7, as being on "the higher side of their typical volume" for the year.

Notable Critical CVEs
Security researchers offered views on some of the 16 Critical vulnerabilities in Microsoft's May patch bundle.

Todd Schell, senior product manager of security at Ivanti, noted via email that "most of the critical vulnerabilities are resolved by the OS and browser updates, but there are four critical vulnerabilities in SharePoint and one in Visual Studio." Ivanti will offer its May patch Tuesday talk on May 13 (signup here).

SharePoint Server (the 2019, 2016 and 2013 product brands) has four remote code execution (RCE) vulnerabilities this month, as described in CVE-2020-1023, CVE-2020-1024, CVE-2020-1069 and CVE-2020-1102, but most require getting an end user to open "a specially crafted SharePoint file," according to Jon Munshaw of the Cisco Talos blog. However, CVE-2020-1069 is somewhat different in that it would require an attacker "to upload a specially crafted packet to a SharePoint server," he added.

Wiseman noted that SharePoint is getting other fixes as well.

"SharePoint admins need to be aware of twelve distinct CVEs being patched this month, including CVE-2020-1069 (one of four RCEs), seven Spoofing weaknesses, and an information disclosure vulnerability (CVE-2020-1103)," Wiseman explained, via email.

SharePoint Server patching is a concern because it can get delayed, noted Jay Goodman, a strategic product marketing manager at Automox, which offers a May 2020 Patch Tuesday Index listing.

"Systems like SharePoint can often be difficult to take offline and patch, allowing RCE vulnerabilities to linger in your infrastructure," Goodman said in a released statement. "This gives attackers the ability to 'live off the land' and move laterally easily once access is gained via an existing exploit."

Visual Studio Code has a Critical RCE vulnerability (CVE-2020-1192) associated with a Python extension, which could be worse if the user is logged in with administrative user rights. "Once an attacker has gained access, they could be capable of stealing critical information like source codes, inserting malicious code or backdoors into current projects, and install, modify, or delete data," stated Richard Melick, a senior technical product manager at Automox.

Internet Explorer browsers (versions 11 and 9) have Critical and Moderate RCE vulnerabilities (CVE-2020-1062) due to a memory access flaw that could let an attacker "gain the same user rights as the current user," Microsoft explained. It can get triggered by visiting a specially crafted Web site or by getting an end user to click on an email attachment.

Wiseman noted that most of the Critical vulnerabilities getting patches this month pertain to "core components of the Windows operating system," and that "44 of the 55 Windows vulnerabilities allow elevation of privilege, a favourite for attackers who want to expand their capabilities after getting an initial foothold."

Rapid7 illustrates this concept of counting the May Microsoft software vulnerabilities by component in a graphic, which can be found at this Rapid7 patch Tuesday blog post.

Notable Important CVEs
Patches rated Important may seem like less of a concern, but IT pros should also consider Microsoft's risk-of-exploit numbers, according to Schell. He noted that this month "seven of the ten CVEs at higher risk of exploit are only rated as Important."

"It is not uncommon to look to the critical vulnerabilities as the most concerning, but many of the vulnerabilities that end up being exploited are rated as Important vs Critical," Schell wrote via email. "If your prioritization stops at vendor severity or even CVSS scores above a certain level you may want to reassess your metrics. Look to other risk metrics like Publicly Disclosed, Exploited (obviously), and Exploitability Assessment (Microsoft specific) to expand your prioritization process."

The Windows implementation of Transport Layer Security (TLS) protocol has an Important denial-of-service vulnerability (CVE-2020-1118). It gets triggered by sending a "specially crafted request to a target system utilizing TLS 1.2 or lower," according to Microsoft. "An attacker can exploit this vulnerability by sending a malicious Client Key Exchange message during a TLS handshake," Childs noted, adding that the flaw is found in both TLS clients and servers. It results in automatic reboots.

"CVE-2020-1118, a potentially very nasty vulnerability found in Windows implementation of TLS, could cause serious damage to hardware resulting in a permeant denial of service (PDoS)," stated Chris Hass, director of information security and research at Automox. "PDoS or otherwise known as 'phlashing,' is less common than then well-known DDoS; however, both have very similar goals, render the target system or service unusable."

Windows also has an Important elevation-of-privilege vulnerability (CVE-2020-1135) in the Windows Graphic Component that allows a "logged-on user to take over a system by running a specially crafted program," according to Childs. It's notable for having been unveiled during the Pwn2Own hacking contest.

Also on Windows front, there's an Important elevation-of-privilege vulnerability in the Remote Access Common Dialog (CVE-2020-1071), but attackers would "need to physically access the booted machine to reach the logon screen," Microsoft indicated.