Microsoft released patches for 129 CVEs covering Microsoft Windows, Internet Explorer (IE), Microsoft Edge (EdgeHTML-based and Chromium-based in IE Mode), ChakraCore, Office and Microsoft Office Services and Web Apps, Windows Defender, Microsoft Dynamics, Visual Studio, Azure DevOps, and Microsoft Apps for Android .
Trio of fixes stuck out in the Patch updates, for flaws in Microsoft Server Message Block (SMB). Two of these flaws exist in Microsoft Server Message Block 3.1.1 (SMBv3). All three vulnerabilities are notable because they’re rated as “exploitation more likely” based on Microsoft’s Exploitability Index.
The two flaws in SMBv3 include a denial-of-service vulnerability (CVE-2020-1284) and an information-disclosure vulnerability (CVE-2020-1206), both of which can be exploited by a remote, authenticated attacker.
The flaws “follow in the footsteps” of CVE-2020-0796, a “wormable” remote code execution flaw in SMBv3 that was patched back in March, dubbed “SMBGhost.” CISA recently warned that the release of a fully functional proof-of-concept (PoC) for SMBGhost could soon spark a wave of cyberattacks.
The third vulnerability patched in Microsoft SMB, CVE-2020-1301, is a remote code-execution vulnerability that exists in the way SMBv1 handles requests. To exploit the flaw, an attacker would need to be authenticated and to send a specially crafted packet to a targeted SMBv1 server.
Various critical remote code-execution flaws were discovered in VBScript, Microsoft’s Active Scripting language that is modeled on Visual Basic (CVE-2020-1214, CVE-2020-1215, CVE-2020-1216, CVE-2020-1230, CVE-2020-1260). The flaws exist in the way that the VBScript engine handles objects in memory; an attacker could corrupt memory in such a way that allows them to execute arbitrary code in the context of the current user.
In a real-life attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website.
“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” said Microsoft. “If the current user is logged on with administrative-user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights.”
Other Critical Flaws
Also of note is a critical flaw (CVE-2020-1299) that exists in Microsoft Windows, which could allow remote code-execution if a .LNK file is processed. An .LNK file is a shortcut or “link.” An attacker can embed a malicious .LNK in a removable drive or remote share, and then convince the victim to open the drive or share in Windows Explorer. Then, the malicious binary will execute the code. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user, according to Microsoft.
The update also addressed a Windows critical RCE flaw (CVE-2020-1300) that exists when Microsoft Windows fails to properly handle cabinet files. To exploit the vulnerability, an attacker would have to convince a user to either open a specially crafted cabinet file or spoof a network printer and trick a user into installing a malicious cabinet file disguised as a printer driver, according to Microsoft’s update.
Another critical vulnerability (CVE-2020-1286) exists due to Windows Shell not properly validating file paths. An attacker could exploit the flaw by convincing a user to open a specially crafted file, and then would be able to run arbitrary code in the context of the user, according to Microsoft’s update.
“If the current user is logged on as an administrator, an attacker could take control of the affected system,” said Microsoft. “An attacker could then install programs; view, change or delete data; or create new accounts with elevated privileges. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges.”
A critical flaw (CVE-2020-1181) in SharePoint server was also fixed, stemming from the server failing to properly identify and filter unsafe ASP.Net web controls. The flaw can be abused by an authenticated, remote user who invokes a specially crafted page on an affected version of Microsoft SharePoint Server, allowing them to execute code.
Microsoft also issued updates addressing Windows 10, 8.1 and Windows Server versions affected by a critical, use-after-free Adobe Flash Player flaw (CVE-2020-9633). According to Microsoft, “In a web-based attack scenario where the user is using Internet Explorer for the desktop, an attacker could host a specially crafted website that is designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website.”