Updated on May 20, 2020, 1:45 P.M. PST to include additional Trend Micro solutions.
This month’s Patch Tuesday includes 111 fixes for Microsoft. Of the 111 vulnerabilities, 16 have been rated Critical while the rest have been ranked Important. Four of the vulnerabilities rated as Important for this release were disclosed by the Zero Day Initiative (ZDI): two for remote code execution (RCE) and two for escalation of privileges. Other updates include a few fixes for security flaws for SharePoint and CVE-2020-1118, which is a vulnerability found in the transport layer security (TLS) implementation.
The number of patches released in 2020 has been noticeably more than “the usual,” compared with the number of updates in the same period in 2019. Microsoft has been ramping up the release of updates, averaging 97 per month, for an increase of 25%.
|Average number of updates per month||63.0||68.8||97.4|
Microsoft Office SharePoint flaws
Continuing from April’s Patch Tuesday, Microsoft released 12 updates to patch vulnerabilities in SharePoint. Five of these were rated as Critical; four may be abused for RCE and one for information disclosure. The remaining seven were regarded as Important and can be used by attackers for spoofing, allowing unauthorized individuals to imitate legitimate devices and users to steal information, install and propagate malware, or control the vulnerable systems, among others.
CVE-2020-1023, CVE-2020-1024, CVE-2020-1069, and CVE-2020-1102 can be abused by threat actors for RCE, and were all disclosed towards the end of 2019. CVE-2020-1023, CVE-2020-1024 and CVE-2020-1102 are gaps in the software when it fails to check the source markup of an application package. These can be abused by an attacker by sending a specially crafted package in the context of the application pool and server farm account. CVE-2020-1069 exists in SharePoint Server when it fails to filter unsafe ASP.Net web controls, and can be exploited by an attacker by creating and invoking a crafted page to perform actions to affect the pool process.
Meanwhile, CVE-2020-1103 is a vulnerability existing in certain modes of the search function and can be abused through cross-site search attacks. This could allow threat actors to view query information via standard browser functionality. By taking advantage of users simultaneously logged into the software server, the attacker can see whether the query returned results or not, and can use that information to send targeted queries to discover sensitive information available to the logged in account.
CVE-2020-1118 is a TLS vulnerability that attackers can exploit to perpetrate a denial of service (DoS) attack on the system. With CVE-2020-1118, malicious actors can send a specially crafted request, triggering the system to reboot. If successfully exploited, the attackers may cause the vulnerable system to stop responding, and just about any system could be shut down by an attacker as the flaw affects both TLS clients and servers. Vulnerable systems that can exploit this flaw will cause lsass.exe to terminate, and can potentially cause disruptions in daily business operations.
ZDI reported CVE-2020-1096, CVE-2020-1150, CVE-2020-1135, and CVE-2020-1151. CVE-2020-1096 is an MS Edge PDF RCE and may be exploited by hosting a website containing a malicious PDF document for a web-based attack, or send an email with a link that takes the victim to the malicious link. This could enable the attacker to get the same rights to the system as the current user, and take control of the system with full administrative rights. CVE-2020-1150 can be abused when the Media Foundation improperly handles objects in memory, and can enter the system via activating malicious macros in a document or by visiting a malicious webpage. Exploiting this vulnerability could allow an attacker to install programs; view, change, or delete data; or create new user accounts with the permissions to access the system. CVE-2020-1135 and CVE-2020-1151 can be used to gain escalation of account privileges via exploiting the Windows Graphic component and Runtime vulnerabilities, respectively.
Trend Micro solutions
While some patches may be implemented enterprise-wide simultaneously, users are advised to download individual patches in their systems as soon as possible. As more employees work from their homes, it is also recommended that users install security solutions that can protect their respective systems from attacks abusing these vulnerabilities.
- 1010254 - Microsoft Internet Explorer JScript Remote Code Execution Vulnerability (CVE-2020-1062)
- 1010255 - Microsoft Internet Explorer VBScript Remote Code Execution Vulnerability (CVE-2020-1060)
- 1010256 - Microsoft Internet Explorer VBScript Remote Code Execution Vulnerability (CVE-2020-1058)
- 1010257 - Microsoft Internet Explorer VBScript Remote Code Execution Vulnerability (CVE-2020-1035)
- 1010258 - Microsoft Windows Transport Layer Security Denial of Service Vulnerability (CVE-2020-1118) – Server
- 1010259 - Microsoft Windows Graphics Components Remote Code Execution Vulnerability (CVE-2020-1153)
- 1010270 - Microsoft Edge PDF Remote Code Execution Vulnerability (CVE-2020-1096)
- 1010271 - Microsoft Windows Media Foundation Memory Corruption Vulnerabilities (CVE-2020-1028 and CVE-2020-1126)
- 1010272 - Microsoft Windows Media Foundation Memory Corruption Vulnerability (CVE-2020-1150)
- 1010273 - Microsoft Windows Jet Database Engine Remote Code Execution Vulnerability (CVE-2020-1051)
- 1010274 - Microsoft Windows Jet Database Engine Remote Code Execution Vulnerability (CVE-2020-1174)
- 1010278 - Microsoft Windows Jet Database Engine Remote Code Execution Vulnerability (CVE-2020-1175)
- 1010276 - Microsoft Windows Jet Database Engine Remote Code Execution Vulnerability (CVE-2020-1176)
- 1010277 - Microsoft SharePoint Remote Code Execution Vulnerability (CVE-2020-1102)
Trend Micro™ TippingPoint® protects customers through the following rules:
- 36897: HTTP: Microsoft Windows JET Database Engine Memory Corruption Vulnerability
- 36900: HTTP: Microsoft JET Database Engine Memory Corruption Vulnerability
- 36901: HTTP: Microsoft Windows JET Database Engine Memory Corruption Vulnerability
- 36976: HTTP: Microsoft Internet Explorer CWMPErrorDlg Use-After-Free Vulnerability
- 37035: HTTP: Microsoft SharePoint Shared Forms Security Bypass Vulnerability
- 37051: HTTP: Microsoft Windows JET Database Engine Memory Corruption Vulnerability
- 37245: HTTP: Microsoft Windows Media Player HEVC Stream Parsing Buffer Overflow Vulnerability
- 37377, 37378: HTTP: Microsoft Windows Media Player HEVC Stream Parsing Out-Of-Bounds Write Vulnerability, HTTP: Microsoft Windows Media Player HEVC Stream Parsing Out-Of-Bounds Write Vulnerability
- 37723: HTTP: Microsoft Internet Explorer Remote Code Execution Vulnerability
- 37724: HTTP: Microsoft Internet Explorer Remote Code Execution Vulnerability
- 37725: HTTP: Microsoft Internet Explorer propertyIsEnumerable Use-After-Free Vulnerability
- 37727: HTTP: Microsoft Internet Explorer RedimPreserve Use-After-Free Vulnerability
- 37728: HTTP: Microsoft Windows PGlbCounter Font Parsing Out-of-Bounds Write Vulnerability
- 37751: TLS: Microsoft Windows TLS Key Exchange Denial-of-Service Vulnerability