Microsoft Patch Tuesday May 2020: comments from VM vendors, promising stuff for phishing, troubles with SharePoint and lulz with Visual Studio

2020-05-13T00:49:16
ID AVLEONOV:D8BE9238C3E35C438BC4D8515D78E548
Type avleonov
Reporter Alexander Leonov
Modified 2020-05-13T00:49:16

Description

This will be my third Microsoft Patch Tuesday report in video and audio format. And for the third time in a row, Microsoft has addressed over a hundred vulnerabilities. With my Microsoft Patch Tuesday parser, it was possible to generate a report almost on the same day. But, of course, it takes much more time to describe the vulnerabilities manually.

Microsoft Patch Tuesday May 2020

  • All vulnerabilities: 111
  • Critical: 16
  • Important: 95
  • Moderate: 0
  • Low: 0

Last time I complained that different VM vendors release completely different reports for Microsoft Patch Tuesday. This time I decided that it's not a bug, but a feature. I upgraded my script to not only show vulnerabilities, but also show how these vulnerabilities were mentioned in the reports of various VM vendors (Tenable, Qualys, Rapid7 and ZDI). In my opinion, it seems pretty useful.

Exploitation detected (0)

In the old report, we can see that there are no vulnerabilities actively used in attacks.

Exploitation more likely (8)

There are 8 vulnerabilities that MS considers more likely to be exploited. We see the types of these vulnerabilities and what products they affect. But all other details should be googled.

Remote Code Execution

Elevation of Privilege

And here my script adds comments about vulnerabilities from the vendors and highlights vulnerabilities that were mentioned (or not mentioned).

my script adds comments about vulnerabilities from the vendors

We can see right away that Rapid7 recommends paying attention to RCE in Internet Explorer (CVE-2020-1062), although other vendors ignore this vulnerability.

According to W3Counter, the current IE11 share is only 1.75%. But, on the other hand, it can still be used in some organizations to access legacy systems. And so this vulnerability may be exploited in targeted attacks.

Tenable pays attention to RCE in Microsoft Graphics Components. "The attacker would need to utilize social engineering tactics to convince a user to open a specially crafted file". Finally, ZDI claims that VBScript RCE (CVE-2020-1060) is especially interesting because "does't involve some form of user interaction".

Agree that looking at Microsoft Patch Tuesday vulnerabilities in this way is much more fun. 🙂

Regarding the Elevation of Privilege, ZDI claims that Windows Graphics Component EoP (CVE-2020-1135) is a real exploitable thing. Tenable mentions vulnerabilities of this type in Windows Kernel (CVE-2020-1054, CVE-2020-1143).

These were all "more likely to be exploited" vulnerabilities, according to Microsoft.

Other Product based (36)

What about other vulnerabilities? Let's see the large groups of vulnerabilities in the same product. Strictly speaking, there is only one product, Microsoft SharePoint, with a bunch of different vulnerabilities. The rest are EoPs in Windows components that no VM vendor mentions.

Microsoft SharePoint

Windows Runtime

Windows State Repository Service

But they write a lot about SharePoint, especially about RCEs (CVE-2020-1023, CVE-2020-1024, CVE-2020-1069, CVE-2020-1102). Three of the four RCEs involve uploading a malicious application package to exploit the vulnerabilities, while the other involves uploading a malicious page. In short, if you use SharePoint in your organization, you need to patch again.

Other Vulnerability Type based (67)

And what about the remaining vulnerabilities in various products. Of course, the RCEs that can be used in phishing attacks are most interesting. These are vulnerabilities in Microsoft Color Management (CVE-2020-1117), Edge PDF (CVE-2020-1096) and Excel (CVE-2020-0901).

Vendors paid a lot of attention to RCEs in Visual Studio Code Python Extension (CVE-2020-1171, CVE-2020-1192). But IMHO this is just a funny case. It is unlikely that attacks that require opening a specially crafted file or a repository with malicious code in Visual Studio Code will be massive.

It is also worth noting the RCE vulnerability in Windows (CVE-2020-1067). ZDI guys write that: "the only thing keeping this from being Critical is the fact that the attacker needs a domain user account for their specially crafted request to succeed. This makes the bug a prime target for insider threats, as well as penetration testers looking to expand their foothold in a target enterprise."

Remote Code Execution

Denial of Service

Memory Corruption

Elevation of Privilege

Security Feature Bypass

Information Disclosure

Cross Site Scripting

Spoofing

Among DoS vulnerabilities, the most promising is DoS in TLS (CVE-2020-1118). An attacker sends a malicious Client Key Exchange message to TLS client or server during a handshake. This flaw can cause the target system to stop responding or automatically reboot.

Memory Corruption in Media Foundation (CVE-2020-1150, CVE-2020-1028, CVE-2020-1126, CVE-2020-1136) is in fact RCE that can allow full system access to an attacker.

Among many Elevation of Privilege vulnerabilities, vendors pay attention to the EoP in Microsoft Edge (CVE-2020-1056) and Windows Remote Access Common Dialog (CVE-2020-1071). Among other vulnerabilities, they mentionт Cross Site Scripting in Microsoft Active Directory Federation Services (CVE-2020-1055) and Spoofing in Microsoft Edge (CVE-2020-1059).

That's all for the May Microsoft Patch Tuesday vulnerabilities.

Older vulnerabilities

  • The PoC for previous month RCE in Microsoft SharePoint (CVE-2020-0932) was demonstrated by ZDI. “You can download all the necessary files to try this yourself.”
  • Windows SMBv3 Client/Server Remote Code Execution Vulnerability (CVE-2020-0796) now has POC by Ricerca Security. The code is still not available.
  • And nothing new for .LNK files processing (CVE-2020-0684) and Mysterious Windows RCE (CVE-2020-0662) from February.