The latest patch Tuesday fixes a record number of vulnerabilities, including new bugs in the SMB protocol
Microsoft has released a new series of regular security updates for Windows and other supported software. With fixes for a whopping 129 vulnerabilities, 11 of which were rated critical, the latest patch Tuesday is the most extensive ever.
However, it is important that none of the shortcomings has been actively exploited or discovered prior to publication. Slightly more than half of them fell into the category of escalation errors in various Windows components, although none were classified as critical.
However, there are a number of vulnerabilities that deserve special attention, including because they are classified as critical and in some scenarios could be misused by bad actors to take control of vulnerable systems remotely and without victim assistance.
First, the Windows VBScript scripting engine contained three critical Remote Code Execution (RCE) errors – CVE-2020-1213, CVE-2020-1216, and CVE-2020-1260, each of which was likely to get the "exploitation more" in Microsoft's Exploitability Index.
Successful misuse of any of these vulnerabilities could grant the attacker the same user rights as the current user, including potential administrator rights. “An attacker could then install programs. Viewing, changing or deleting data; or create new accounts with full user rights, ”said Microsoft.
An RCE vulnerability, CVE-2020-1248, has been fixed in the Windows Graphics Device Interface (GDI). Because of the way GDI handles objects in memory, the vulnerability could allow an attacker to take control of a vulnerable system. An attack scenario could be to trick the target into opening a malicious attachment.
The latest update has also closed some gaps in SharePoint. This includes CVE-2020-1181, a critical evaluation RCE error related to Microsoft SharePoint Server not properly identifying and filtering unsafe ASP.Net web controls. "An authenticated attacker who successfully exploited the vulnerability could use a specially crafted page to perform actions in the security context of the SharePoint application pool process," said Microsoft.
The Server Message Block (SMB) protocol received patches for three important bugs, all rated "more likely to be exploited".
According to this SANS Technology Institute summary, CVE-2020-1206, a vulnerability in SMBv3 related to how the protocol handles certain requirements, was rated 8.6 out of 10. "An attacker who successfully exploited the vulnerability could receive information to further compromise the user's system," said Microsoft.
This new vulnerability in the SMB decompression feature, called SMBleed, is present in Windows 10 versions 1903, 1909, and 2004. Details of the vulnerability have been released by ZecOps researchers, who discovered it when viewing SMBGhost, another and more serious vulnerability, in the log that was patched three months ago via an out-of-band update.
With SMBleed, attackers can lose kernel memory remotely. In combination with SMBGhost, it enables remote authentication (RCE) before authentication, according to the researchers.
The wormable SMBGhost error allows attackers to spread malware from computer to computer without user interaction. Citing open source reports, the United States' Cybersecurity & Infrastructure Security Agency (CISA) warned last week that threat actors are already targeting SMBGhost, known as CVE-2020-0796 with publicly available proof-of-concept code (PoC ) is indicated.
This month also fixed an RCE vulnerability that affects SMBv1 and indexed as CVE-2020-1301. It could cause some echoes of a security hole in SMBv1 that EternalBlue has exploited and facilitated the outbreak of WannaCryptor aka WannaCry in 2017. The third newly fixed SMB bug is CVE-2020-1284, a denial of service vulnerability in SMBv3 that could be exploited by attackers to crash vulnerable systems.
You are well advised to apply all available updates as soon as possible. If there are delays in receiving the patches, you can download the updates from the Microsoft Update Catalog.
Tomáš Foltýn June 10, 2020 – 4:53 p.m.