This will be my third Microsoft Patch Tuesday report in video and audio format. And for the third time in a row, Microsoft has addressed over a hundred vulnerabilities. With my Microsoft Patch Tuesday parser, it was possible to generate a report almost on the same day. But, of course, it takes much more time to describe the vulnerabilities manually.
Last time I complained that different VM vendors release completely different reports for Microsoft Patch Tuesday. This time I decided that it's not a bug, but a feature. I upgraded my script to not only show vulnerabilities, but also show how these vulnerabilities were mentioned in the reports of various VM vendors (Tenable, Qualys, Rapid7 and ZDI). In my opinion, it seems pretty useful.
In the old report, we can see that there are no vulnerabilities actively used in attacks.
There are 8 vulnerabilities that MS considers more likely to be exploited. We see the types of these vulnerabilities and what products they affect. But all other details should be googled.
And here my script adds comments about vulnerabilities from the vendors and highlights vulnerabilities that were mentioned (or not mentioned).
We can see right away that Rapid7 recommends paying attention to RCE in Internet Explorer (CVE-2020-1062), although other vendors ignore this vulnerability.
According to W3Counter, the current IE11 share is only 1.75%. But, on the other hand, it can still be used in some organizations to access legacy systems. And so this vulnerability may be exploited in targeted attacks.
Tenable pays attention to RCE in Microsoft Graphics Components. "The attacker would need to utilize social engineering tactics to convince a user to open a specially crafted file". Finally, ZDI claims that VBScript RCE (CVE-2020-1060) is especially interesting because "does't involve some form of user interaction".
Agree that looking at Microsoft Patch Tuesday vulnerabilities in this way is much more fun.
Regarding the Elevation of Privilege, ZDI claims that Windows Graphics Component EoP (CVE-2020-1135) is a real exploitable thing. Tenable mentions vulnerabilities of this type in Windows Kernel (CVE-2020-1054, CVE-2020-1143).
These were all "more likely to be exploited" vulnerabilities, according to Microsoft.
What about other vulnerabilities? Let's see the large groups of vulnerabilities in the same product. Strictly speaking, there is only one product, Microsoft SharePoint, with a bunch of different vulnerabilities. The rest are EoPs in Windows components that no VM vendor mentions.
But they write a lot about SharePoint, especially about RCEs (CVE-2020-1023, CVE-2020-1024, CVE-2020-1069, CVE-2020-1102). Three of the four RCEs involve uploading a malicious application package to exploit the vulnerabilities, while the other involves uploading a malicious page. In short, if you use SharePoint in your organization, you need to patch again.
And what about the remaining vulnerabilities in various products. Of course, the RCEs that can be used in phishing attacks are most interesting. These are vulnerabilities in Microsoft Color Management (CVE-2020-1117), Edge PDF (CVE-2020-1096) and Excel (CVE-2020-0901).
Vendors paid a lot of attention to RCEs in Visual Studio Code Python Extension (CVE-2020-1171, CVE-2020-1192). But IMHO this is just a funny case. It is unlikely that attacks that require opening a specially crafted file or a repository with malicious code in Visual Studio Code will be massive.
It is also worth noting the RCE vulnerability in Windows (CVE-2020-1067). ZDI guys write that: "the only thing keeping this from being Critical is the fact that the attacker needs a domain user account for their specially crafted request to succeed. This makes the bug a prime target for insider threats, as well as penetration testers looking to expand their foothold in a target enterprise."
Among DoS vulnerabilities, the most promising is DoS in TLS (CVE-2020-1118). An attacker sends a malicious Client Key Exchange message to TLS client or server during a handshake. This flaw can cause the target system to stop responding or automatically reboot.
Memory Corruption in Media Foundation (CVE-2020-1150, CVE-2020-1028, CVE-2020-1126, CVE-2020-1136) is in fact RCE that can allow full system access to an attacker.
Among many Elevation of Privilege vulnerabilities, vendors pay attention to the EoP in Microsoft Edge (CVE-2020-1056) and Windows Remote Access Common Dialog (CVE-2020-1071). Among other vulnerabilities, they mentionт Cross Site Scripting in Microsoft Active Directory Federation Services (CVE-2020-1055) and Spoofing in Microsoft Edge (CVE-2020-1059).
That's all for the May Microsoft Patch Tuesday vulnerabilities.