Security News > 2020 > June > Microsoft Patches Critical Code Execution Vulnerabilities in Windows, Browsers

"Microsoft's latest fixes in its June Patch Tuesday update show that when it comes to vulnerabilities, what's old is new again. The same vulnerabilities we've seen appear in Adobe Flash over the past few years, along with common cross-site-scripting issues, were addressed this month. As witnessed within Microsoft Office SharePoint, there were multiple XSS vulnerabilities identified in the same product - this could be the result of a researcher who found one flaw and decided to continue digging, or Microsoft itself going through similar flows of code to try to fix them all."

"This month starts with CVE-2020-1281, a remote code execution vulnerability in Microsoft's Object Linking & Embedding. This vulnerability impacts Windows 7 through 10 and Windows Server 2008 through 2019. The vulnerability exists in the way OLE validates user input. An attacker who sent a specially crafted file or program, or convinced a victim to download one, could execute malicious code on the victim's machine. Microsoft assigned this vulnerability a CVSS score of 7.8; a similar vulnerability, CVE-2017-0199, has been widely exploited including by the Lazarus group and APT 34.".

"CVE-2020-1299 is a remote code execution vulnerability in the way Microsoft processes.LNK files. This vulnerability affects Windows 7 through 10 and Windows Server 2008 through Windows Server 2019. In order to exploit this vulnerability, the attacker would need to provide a removable drive or a remote drive share that contains the malicious.LNK file. In March 2020, Microsoft announced a similar vulnerability, CVE-2020-0684, There was a lot of concern about it being exploited when it was first released but, to date, it has not been exploited in the wild."

In terms of urgency, critical remote execution vulnerabilities are typically choice patches to prioritize.

"Last, but not least, I want to acknowledge the SMBv3 vulnerabilities being addressed this month. CVE-2020-0796, disclosed back in March 2020, is now seeing functional PoCs targeting unpatched systems. Luckily, these vulnerabilities continue to affect Windows 10 variants on Version 1903 onwards. There is a commonality between all these vulnerabilities and it is that mitigation can be accomplished via disabling SMBv3 compression, which is stated as having no negative performance impact. There are patches, and patches will always be a solid strategy, but it's nice to know what the alternatives could be."

News URL

http://feedproxy.google.com/~r/Securityweek/~3/yxI6WPhIbUE/microsoft-patches-critical-code-execution-vulnerabilities-windows-browsers