Microsoft June 2020 Patch Tuesday address 129 vulnerabilities affecting Microsoft Windows, Internet Explorer (IE), Microsoft Edge (EdgeHTML-based and Chromium-based in IE Mode), ChakraCore, Office and Microsoft Office Services and Web Apps, Windows Defender, Microsoft Dynamics, Visual Studio, Azure DevOps, and Microsoft Apps for Android.
This is the highest number of CVEs ever released by Microsoft in a single month. 11 remote code execution vulnerabilities are rated as Critical while 118 are rated as Important in severity.
None of the vulnerabilities being addressed by Microsoft June 2020 Patch Tuesday is known to be exploited by attackers in the wild, Microsoft also added that none of them was disclosed publicly before this publication.
Microsoft addressed three flaws in Microsoft Server Message Block (SMB), two of these vulnerabilities affect Microsoft Server Message Block 3.1.1 (SMBv3). Microsoft rated the three vulnerabilities as “exploitation more likely” based on Microsoft’s Exploitability Index.
Both denial-of-service vulnerability (CVE-2020-1284) and the information-disclosure vulnerability (CVE-2020-1206) in SMBv3 could be exploited by a remote, authenticated attacker.
The CVE-2020-1206 flaw can be chained with previously disclosed SMBGhost (CVE-2020-0796) vulnerabilities to remotely execute arbitrary code on vulnerable systems.
One of the most notable critical issues is the CVE-2020-1299 flaw, it is related to the way Windows handles Shortcut files (.LNK) and could be exploited by attackers to execute arbitrary code on the targeted systems remotely. An attacker could trigger the flaw by tricking the victim into processing a specially crafted .LNK file, for example by putting it on a USB drive in an attempt to bridge an air-gapped network.
Another interesting issue addressed this month by Microsoft is the Microsoft Outlook Security Feature Bypass Vulnerability tracked as CVE-2020-1229. The vulnerability could be exploited by attackers to automatically load remote images, even when displayed in the Preview Pane.
Microsoft June 2020 Patch Tuesday also addressed a Windows Remote Code Execution Vulnerability tracked as CVE-2020-1300.
“A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files.” reads the advisory published by Microsoft.
“To exploit the vulnerability, an attacker would have to convince a user to either open a specially crafted cabinet file or spoof a network printer and trick a user into installing a malicious cabinet file disguised as a printer driver.”
Microsoft also fixed other three critical flaws in the VBScript engine and tracked as CVE-2020-1213, CVE-2020-1216, and CVE-2020-1260. The vulnerabilities exist in the way it handles objects in memory, allowing an attacker to execute arbitrary code in the context of the current user.
According to Microsoft, GDI+ RCE vulnerability can be exploited in combination with a separate critical security feature bypass vulnerability (CVE-2020-1229) affecting Microsoft Outlook software that could let attackers automatically load malicious images hosted on a remote server.
Microsoft also fixed a new critical remote code execution flaw, tracked as CVE-2020-9633, which affects Adobe Flash Player for Windows systems.
The list of flaws addressed this month by Microsoft is available here:
(SecurityAffairs – Microsoft June 2020 Patch Tuesday, hacking)