May 2020 Patch Tuesday: Microsoft fixes 111 flaws, Adobe 36

For the May 2020 Patch Tuesday, Microsoft has fixed 111 CVE-numbered flaws and Adobe 36, but none are under active attack.

Microsoft’s updates

For the third time in the last three months, Microsoft squashed over 100 CVE-numbered bugs. Of the 111 flaws fixed this time, 16 are rated critical and the rest important, but none of them are publicly known or under active attack.

Among the vulnerabilities of note that have been patched are:

CVE-2020-1135 – A vulnerability in the Windows Graphics Component that could allow attackers to elevate their privileges on a compromised system and do things like steal credentials, install malware, etc. The vulnerability is found in most Windows 10 and Windows Server builds and Microsoft deems it “more likely to be exploited.”

CVE-2020-1118 – A vulnerability in Windows’ implementation of Transport Layer Security (TLS) that could allow a remote, unauthenticated attacker to continually reboot the target system, resulting in a denial-of-service condition.

“An attacker can exploit this vulnerability by sending a malicious Client Key Exchange message during a TLS handshake. The vulnerability affects both TLS clients and TLS servers, so just about any system could be shut down by an attacker. Either way, successful exploitation will cause the lsass.exe process to terminate,” Trend Micro Zero Day Initiative’s Dustin Childs explained.

Richard Melick, Sr. technical product manager at Automox, urges Visual Studio Code users to patch CVE-2020-1192, a critical RCE flaw that can be triggered when the Python extension loads workspace settings from a notebook file.

Visual Studio Code is an extremely popular source-code editor developed by Microsoft. “Accounting for over 50% of the market share of developer tools, an attacker is not short of potential targets, and if successful, would have the ability to take control of the victim machine acting as the current user,” Melick noted.

“Once an attacker has gained access, they could be capable of stealing critical information like source codes, inserting malicious code or backdoors into current projects, and install, modify, or delete data. Due to the importance and popularity of Visual Studio Code, it is critical that organizations deploy this patch within 24 hours before this vulnerability is weaponized and deployed.”

Another Visual Studio Code has also been patched this month (CVE-2020-1171) and, despite being rated important, “there’s no indication as to why one is more severe than the other, so you should treat them both as critical,” Childs advised.

Melick also singled out CVE-2020-1024, a RCE flaw in Microsoft SharePoint, an increasingly popular team collaboration platform.

“If exploited successfully, this vulnerability would give an attacker the ability to execute arbitrary code from the SharePoint application pool and the SharePoint server farm account, potentially impacting all the users connected into and using the platform. If an attacker is able to access this critical component of the network, lateral movement throughout the connected filesystems would be difficult to contain. With Microsoft Sharepoint’s rise in use to support remote workers, addressing this vulnerability quickly is critical to securing a central hub of access to the full corporate network and data,” he pointed out.

The Microsoft SharePoint security updates also fix three additional RCEs (one of which appears to be very similar in nature to CVE-2020-1024), four XSS flaws, three spoofing vulnerabilities and one information disclosure weakness.

“Systems like SharePoint can often be difficult to take offline and patch, allowing RCE vulnerabilities to linger in your infrastructure,” noted Jay Goodman, strategic product marketing manager, Automox. “This gives attackers the ability to ‘live off the land’ and move laterally easily once access is gained via an existing exploit.”

Jimmy Graham, Senior Director of Product Management at Qualys, advises admins to prioritize browser, Scripting Engine, Media Foundation, Microsoft Graphics, and Microsoft Color Management patches for workstation-type devices, including multi-user servers that are used as remote desktops for users.

Adobe’s updates

Adobe has released security updates for Adobe Acrobat and Reader (for Windows and macOS) and for the Adobe DNG Software Development Kit (SDK) (for Windows and macOS).

The Acrobat and Reader updates carry fixes for 24 vulnerabilities, half of which are considered to be critical, as they can lead to arbitrary code execution or can be used to bypass a security feature. Cisco Talos has released more details about two of the remote code execution vulnerabilities (CVE-2020-9607 and CVE-2020-9609).

The DNG SDK update squash twelve security bugs, four of which could be exploited for remote code execution, the rest for disclosure of potentially sensitive information. Mateusz Jurczyk from Google Project Zero has been credited with reporting them. Users are urged to upgrade to version 1.5.1 of the SDK.

UPDATE (May 13, 2020, 2:35 a.m. PT):

While we’re on the subject of vulnerability patching, the US Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations to patch a slew of old and new software vulnerabilities that are routinely exploited by foreign cyber actors and cyber criminals.

UPDATE (May 14, 2020, 5:20 a.m. PT):

Details about another Windows vulnerability of note have been revealed, along with a PoC for it. CVE-2020-1048 is privilege escalation vulnerability in the Windows Print Spooler service, similar to one that attackers who deployed Stuxnet ten years ago exploited to great effect.