Security News > 2020 > June > June's Patch Tuesday reveals 23 ways to remotely pwn Windows – and over 100 more bugs that could ruin your day
The Redmond giant has posted fixes for CVE-listed bugs in its latest monthly security update, including 23 that allow for remote code execution.
One of the bugs that was of particular interest to researchers was CVE-2020-1299, a remote code execution issue that arises when trying to load Windows shortcut files.
Other RCE bugs include CVE-2020-1300, which is exploited via a malformed CAB file, and CVE-2020-1286, a Windows Shell bug that can be exploited with malformed web pages or emails.
While Microsoft tends not to consider Office and multimedia RCE bugs to be critical risks because users need to manually open files in order to trigger an attack, admins should put a priority on testing and patching the updates for Jet Database, Media Foundation, Excel, Office, VBScript, and the outdated SMBv1.
The third of the updates was given to Adobe Framemaker to clean up up three arbitrary code execution bugs.
News URL
https://go.theregister.com/feed/www.theregister.com/2020/06/09/june_2020_patch_tuesday/
Related news
- April's Patch Tuesday leaves unlucky Windows Hello users unable to login (source)
- New Windows zero-day leaks NTLM hashes, gets unofficial patch (source)
- April 2025 Patch Tuesday forecast: More AI security introduced by Microsoft (source)
- Week in review: Probing activity on Palo Alto Networks GlobalProtect portals, Patch Tuesday forecast (source)
- Microsoft April 2025 Patch Tuesday fixes exploited zero-day, 134 flaws (source)
- Patch Tuesday: Microsoft Fixes 134 Vulnerabilities, Including 1 Zero-Day (source)
- Microsoft pitches pay-to-patch reboot reduction subscription for Windows Server 2025 (source)
- May 2025 Patch Tuesday forecast: Panic, change, and hope (source)
- Week in review: The impact of a CVE-free future on cyber defense, Patch Tuesday forecast (source)
- Microsoft May 2025 Patch Tuesday fixes 5 exploited zero-days, 72 flaws (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-06-09 | CVE-2020-1286 | Improper Input Validation vulnerability in Microsoft products A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths.An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user, aka 'Windows Shell Remote Code Execution Vulnerability'. | 8.8 |
| 2020-06-09 | CVE-2020-1299 | Unspecified vulnerability in Microsoft products A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed.An attacker who successfully exploited this vulnerability could gain the same user rights as the local user, aka 'LNK Remote Code Execution Vulnerability'. | 8.8 |
| 2020-06-09 | CVE-2020-1300 | Unspecified vulnerability in Microsoft products A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files.To exploit the vulnerability, an attacker would have to convince a user to either open a specially crafted cabinet file or spoof a network printer and trick a user into installing a malicious cabinet file disguised as a printer driver.The update addresses the vulnerability by correcting how Windows handles cabinet files., aka 'Windows Remote Code Execution Vulnerability'. | 8.8 |