Security News > 2020 > June > June's Patch Tuesday reveals 23 ways to remotely pwn Windows – and over 100 more bugs that could ruin your day
The Redmond giant has posted fixes for CVE-listed bugs in its latest monthly security update, including 23 that allow for remote code execution.
One of the bugs that was of particular interest to researchers was CVE-2020-1299, a remote code execution issue that arises when trying to load Windows shortcut files.
Other RCE bugs include CVE-2020-1300, which is exploited via a malformed CAB file, and CVE-2020-1286, a Windows Shell bug that can be exploited with malformed web pages or emails.
While Microsoft tends not to consider Office and multimedia RCE bugs to be critical risks because users need to manually open files in order to trigger an attack, admins should put a priority on testing and patching the updates for Jet Database, Media Foundation, Excel, Office, VBScript, and the outdated SMBv1.
The third of the updates was given to Adobe Framemaker to clean up up three arbitrary code execution bugs.
News URL
https://go.theregister.com/feed/www.theregister.com/2020/06/09/june_2020_patch_tuesday/
Related news
- Microsoft says premature patch could make Windows Recall forget how to work (source)
- December 2024 Patch Tuesday forecast: The secure future initiative impact (source)
- New Windows zero-day exposes NTLM credentials, gets unofficial patch (source)
- Week in review: Veeam Service Provider Console flaws fixed, Patch Tuesday forecast (source)
- Microsoft December 2024 Patch Tuesday fixes 1 exploited zero-day, 71 flaws (source)
- Microsoft holds last Patch Tuesday of the year with 72 gifts for admins (source)
- Patch Tuesday: Microsoft Patches One Actively Exploited Vulnerability, Among Others (source)
- What Is Patch Tuesday? Microsoft’s Monthly Update Explained (source)
- January 2025 Patch Tuesday forecast: Changes coming in cybersecurity guidance (source)
- Week in review: Exploited Ivanti Connect Secure zero-day, Patch Tuesday forecast (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-06-09 | CVE-2020-1286 | Improper Input Validation vulnerability in Microsoft products A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths.An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user, aka 'Windows Shell Remote Code Execution Vulnerability'. | 8.8 |
| 2020-06-09 | CVE-2020-1299 | Unspecified vulnerability in Microsoft products A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed.An attacker who successfully exploited this vulnerability could gain the same user rights as the local user, aka 'LNK Remote Code Execution Vulnerability'. | 8.8 |
| 2020-06-09 | CVE-2020-1300 | Unspecified vulnerability in Microsoft products A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files.To exploit the vulnerability, an attacker would have to convince a user to either open a specially crafted cabinet file or spoof a network printer and trick a user into installing a malicious cabinet file disguised as a printer driver.The update addresses the vulnerability by correcting how Windows handles cabinet files., aka 'Windows Remote Code Execution Vulnerability'. | 8.8 |