Microsoft Releases June 2020 Security Patches For 129 Vulnerabilities

Microsoft today released its June 2020 batch of software
security updates that patches a total of 129 newly discovered
vulnerabilities affecting various versions of Windows operating
systems and related products.

This is the third Patch Tuesday update since the beginning of
the global Covid-19 outbreak, putting some extra pressure on
security teams struggling to keep up with patch management while
proceeding with caution that should not break anything during this
lockdown season.

The 129 bugs in the June 2020 bucket for sysadmins and billions
of users include 11 critical vulnerabilities—all leading to remote
code execution attacks—and 118 classified as important in severity,
mostly leading to privilege escalation and spoofing
attacks.

According to the advisories Microsoft released today, hackers,
fortunately, don’t appear to be exploiting any of the zero-day
vulnerabilities in the wild, and details for none of the flaws
addressed this month was disclosed publicly before this
publication.

One of the notable flaws is an information disclosure
vulnerability (CVE-2020-1206^[1]) in Server Message Block
3.1.1 (SMBv3) protocol that, according to a team of researchers,
can be exploited in combination with previously disclosed SMBGhost
(CVE-2020-0796)^[2]
flaw to archive remote code execution attacks.

Three critical bugs (CVE-2020-1213, CVE-2020-1216^[3], and CVE-2020-1260)
affect the VBScript engine and exist in the way it handles objects
in memory, allowing an attacker to execute arbitrary code in the
context of the current user.

Microsoft has listed these flaws as “Exploitation more likely,”
explaining that it has seen attackers consistently exploiting
similar flaws in the past, and can be carried out remotely via
browser, application or Microsoft Office document that hosts the IE
rendering engine.

One of the 11 critical issues exploits a vulnerability (CVE-2020-1299^[4]) in the way Windows
handles Shortcut files (.LNK), allowing attackers to execute
arbitrary code on the targeted systems remotely. Like all previous
LNK vulnerabilities, this type of attack could also lead to victims
losing control over their computers or having their sensitive data
stolen.

The GDI+ component that enables programs to use graphics and
formatted text on a video display or printer in Windows has also
been found vulnerable to a remote code execution flaw
(CVE-2020-1248).

According to Microsoft, GDI+ RCE vulnerability can be exploited in
combination with a separate critical security feature bypass
vulnerability (CVE-2020-1229^[5]) affecting Microsoft
Outlook software that could let attackers automatically load
malicious images hosted on a remote server.

“In an email attack scenario, an attacker could exploit the
vulnerability by sending the specially crafted image to the user.
An attacker who successfully exploited this vulnerability could
cause a system to load remote images. These images could disclose
the IP address of the targeted system to the attacker,” the
advisory says.

Besides these, the June 202 update also includes a patch for a
new critical remote code execution flaw (CVE-2020-9633^[6]) affecting Adobe Flash
Player for Windows systems.

It’s recommended that all users apply the latest security
patches as soon as possible to prevent malware or miscreants from
exploiting them to gain remote control over vulnerable
computers.

For installing the latest security updates, Windows users can
head to Start > Settings > Update & Security > Windows
Update, or by selecting Check for Windows updates.