Security News > 2020 > June > June's Patch Tuesday reveals 23 ways to remotely pwn Windows – and over 100 more bugs that could ruin your day
The Redmond giant has posted fixes for CVE-listed bugs in its latest monthly security update, including 23 that allow for remote code execution.
One of the bugs that was of particular interest to researchers was CVE-2020-1299, a remote code execution issue that arises when trying to load Windows shortcut files.
Other RCE bugs include CVE-2020-1300, which is exploited via a malformed CAB file, and CVE-2020-1286, a Windows Shell bug that can be exploited with malformed web pages or emails.
While Microsoft tends not to consider Office and multimedia RCE bugs to be critical risks because users need to manually open files in order to trigger an attack, admins should put a priority on testing and patching the updates for Jet Database, Media Foundation, Excel, Office, VBScript, and the outdated SMBv1.
The third of the updates was given to Adobe Framemaker to clean up up three arbitrary code execution bugs.
News URL
https://go.theregister.com/feed/www.theregister.com/2020/06/09/june_2020_patch_tuesday/
Related news
- Windows Patch Tuesday hits snag with Citrix software, workarounds published (source)
- January 2025 Patch Tuesday forecast: Changes coming in cybersecurity guidance (source)
- Week in review: Exploited Ivanti Connect Secure zero-day, Patch Tuesday forecast (source)
- Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws (source)
- Patch Tuesday: January 2025 Security Update Patches Exploited Elevation of Privilege Attacks (source)
- 7-Zip fixes bug that bypasses Windows MoTW security warnings, patch now (source)
- Don't want your Kubernetes Windows nodes hijacked? Patch this hole now (source)
- February 2025 Patch Tuesday forecast: New directions for AI development (source)
- Microsoft February 2025 Patch Tuesday fixes 4 zero-days, 55 flaws (source)
- February's Patch Tuesday sees Microsoft offer just 63 fixes (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-06-09 | CVE-2020-1286 | Improper Input Validation vulnerability in Microsoft products A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths.An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user, aka 'Windows Shell Remote Code Execution Vulnerability'. | 8.8 |
| 2020-06-09 | CVE-2020-1299 | Unspecified vulnerability in Microsoft products A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed.An attacker who successfully exploited this vulnerability could gain the same user rights as the local user, aka 'LNK Remote Code Execution Vulnerability'. | 8.8 |
| 2020-06-09 | CVE-2020-1300 | Unspecified vulnerability in Microsoft products A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files.To exploit the vulnerability, an attacker would have to convince a user to either open a specially crafted cabinet file or spoof a network printer and trick a user into installing a malicious cabinet file disguised as a printer driver.The update addresses the vulnerability by correcting how Windows handles cabinet files., aka 'Windows Remote Code Execution Vulnerability'. | 8.8 |