Microsoft today released its June 2020 batch of software security updates that patches a total of 129 newly discovered vulnerabilities affecting various versions of Windows operating systems and related products.
This is the third Patch Tuesday update since the beginning of the global Covid-19 outbreak, putting some extra pressure on security teams struggling to keep up with patch management while proceeding with caution that should not break anything during this lockdown season.
The 129 bugs in the June 2020 bucket for sysadmins and billions of users include 11 critical vulnerabilities—all leading to remote code execution attacks—and 118 classified as important in severity, mostly leading to privilege escalation and spoofing attacks.
According to the advisories Microsoft released today, hackers, fortunately, don’t appear to be exploiting any of the zero-day vulnerabilities in the wild, and details for none of the flaws addressed this month was disclosed publicly before this publication.
One of the notable flaws is an information disclosure vulnerability (CVE-2020-1206) in Server Message Block 3.1.1 (SMBv3) protocol that, according to a team of researchers, can be exploited in combination with previously disclosed SMBGhost (CVE-2020-0796) flaw to archive remote code execution attacks. You can find more details on this flaw here.
Three critical bugs (CVE-2020-1213, CVE-2020-1216, and CVE-2020-1260) affect the VBScript engine and exist in the way it handles objects in memory, allowing an attacker to execute arbitrary code in the context of the current user.
Microsoft has listed these flaws as “Exploitation more likely,” explaining that it has seen attackers consistently exploiting similar flaws in the past, and can be carried out remotely via browser, application or Microsoft Office document that hosts the IE rendering engine.
One of the 11 critical issues exploits a vulnerability (CVE-2020-1299) in the way Windows handles Shortcut files (.LNK), allowing attackers to execute arbitrary code on the targeted systems remotely. Like all previous LNK vulnerabilities, this type of attack could also lead to victims losing control over their computers or having their sensitive data stolen.
The GDI+ component that enables programs to use graphics and formatted text on a video display or printer in Windows has also been found vulnerable to a remote code execution flaw (CVE-2020-1248).
images from Hacker News