May 2020 Patch Tuesday – 111 Vulns, 16 Critical, SharePoint, VS Code, Adobe Patches


Continuing the trend of large Microsoft Patch Tuesdays, this month’s addresses 111 vulnerabilities with 16 of them labeled as Critical. The 16 Critical vulnerabilities cover SharePoint, Browsers, Scripting Engines, Media Foundation, Microsoft Graphics, Microsoft Color Management, and the VS Code Python Extension. Adobe released patches today for Acrobat/Reader, and DNG SDK. ### Workstation Patches The Browser, Scripting Engine, Media Foundation, Microsoft Graphics, and Microsoft Color Management patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users. ### SharePoint RCEs Similar to last month, Microsoft has also released patches for SharePoint covering four RCE vulnerabilities ([CVE-2020-1023](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1023>), [CVE-2020-1024](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1024>), [CVE-2020-1102](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1102>), [CVE-2020-1069](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1069>)). Three of the four RCEs involve uploading a malicious application package to exploit the vulnerabilities, while the other involves uploading a malicious page. These patches should be prioritized for all SharePoint servers. ### Visual Studio Code Python Extension RCE Microsoft also released a patch for an RCE vulnerability the VS Code Python Extension ([CVE-2020-1192](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1192>)). Exploiting the vulnerability would require the user to open a malicious file, and would grant the attacker the same rights as the user. All VS Code installations with this extension should prioritized for patching. ### Autodesk FBX Library In late April, Microsoft issued out-of-band [updates](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200004>) for Office, 3D Viewer, and Paint 3D which use the Autodesk FBX Library to render 3D content. [Vulnerabilities](<https://www.autodesk.com/trust/security-advisories/adsk-sa-2020-0002>) in this library can lead to remote code execution if a user opens a specially crafted file. ### Adobe Adobe issued patches today covering multiple vulnerabilities in [Acrobat/Reader](<https://helpx.adobe.com/security/products/acrobat/apsb20-24.html>) and [DNG SDK](<https://helpx.adobe.com/security/products/dng-sdk/apsb20-26.html>). The patches for Acrobat/Reader are labeled as [Priority 2](<https://helpx.adobe.com/security/severity-ratings.html>), while DNS SDK's patches are set to [Priority 3](<https://helpx.adobe.com/security/severity-ratings.html>). These patches resolve multiple Critical vulnerabilities. Adobe also released patches out-of-band on April 28th covering Critical vulnerabilities in [Bridge](<https://helpx.adobe.com/security/products/bridge/apsb20-19.html>), [Illustrator](<https://helpx.adobe.com/security/products/illustrator/apsb20-20.html>), and [Magento](<https://helpx.adobe.com/security/products/magento/apsb20-22.html>). The patches for Magento are Priority 2, while the others are Priority 3. While none of the vulnerabilities disclosed in Adobe’s release are known to be Actively Attacked today, all patches should be prioritized on systems with these products installed. ### About Patch Tuesday Patch Tuesday QIDs are published at [Security Alerts](<https://www.qualys.com/research/security-alerts/>), typically late in the evening of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>).