Welcome to May’s Patch Tuesday breakdown.
Microsoft has released patches for 111 vulnerabilities this month, with 16 rated critical. May’s update from Microsoft continues the trend of triple-digit patch loads and is one of the heaviest Patch Tuesday releases we’ve seen so far this year. In March, Microsoft resolved 115 vulnerabilities and another 113 in April. While May brings another sizable update from Microsoft, at least there are no reports of active exploitation this month.
For May, Adobe has released two updates, both of which are critically rated and address arbitrary code execution vulnerabilities. Mozilla has also released a handful of patches this month, three of which are rated critical.
Over the last few months, many organizations have had to make dramatic shifts in how everyday operations are run, and many employees are now working remotely. Managing patch deployment for remote devices can present a real challenge for IT staff, especially if they’re relying on legacy patch management platforms and VPNs to get the job done. Patches should be deployed as quickly as possible, but as many organizations are finding out, traditional patching solutions are not cut out to keep pace with modern infrastructure.
Deploying security updates on a routine basis is an integral part of cyber hygiene best practices. See last month’s breakdown for coverage of April’s Patch Tuesday update.
Patch Tuesday Highlights from Microsoft
This month’s security update from Microsoft includes fixes for 111 vulnerabilities, 16 of which are rated critical. Some of the most notable vulnerabilities for May include:
CVE-2020-1023, -1024 and -1102 are remote code execution vulnerabilities in Microsoft Sharepoint which exist when Sharepoint fails to check the source markup of an application package. These vulnerabilities can be exploited through maliciously designed application packages, and if successful, attackers can then gain entry to the victim system. From there, attackers can read, change or delete data, as well as run code directly on the system. Once exploited, attackers can use these entry points to run additional attacks within your environment and move laterally throughout the system.
The update from Microsoft resolves this issue by correcting how Sharepoint checks the source markup of application packages.
CVE-2020-1135 is an elevation of privilege vulnerability that exists in Windows Graphics Component when objects in memory are handled improperly. Attackers can use a specially designed application to exploit this vulnerability, and if successful, may seize control of the target system. By elevating a process’s privileges, attackers can attempt to steal credentials or sensitive data, run malicious code or download malware.
This vulnerability can be found in most Windows 10 and Windows Server builds and Microsoft ranks it as more likely to be exploited. The patch from Microsoft corrects how objects in memory are handled and prevents unintentional elevations from user mode.
CVE-2020-1192 is a remote code execution vulnerability that exists in Visual Studio Code when Python extension loads workspace settings from a notebook file. Attackers can exploit this vulnerability by tricking users into opening a maliciously crafted file in Visual Studio Code with Python extension installed. If successful, attackers can use this vulnerability to run arbitrary code and take control of the victim system within the context of the current user. From there, attackers can install, modify or delete data. This can mean anything from potentially stealing important data or installing malware.
Microsoft resolves this vulnerability by changing the way Visual Studio Code Python Extension enforces user settings. Because Visual Studio Code is one of the most popular developer environment tools, it is critical that this patch be deployed before the vulnerability is weaponized by attackers. Malicious actors can weaponize a known vulnerability in seven days; delaying patches for critical vulnerabilities is an unnecessary risk.
More On Updates From Microsoft
While not critically rated, Microsoft has released a few important updates this month that are also noteworthy:
CVE-2020-1118 is a denial of service vulnerability found in Windows implementation of Transport Layer Security (TLS). Microsoft ranks this vulnerability as less likely to be exploited, but a successful exploit could lead to permanent denial of service (PDoS). While this is less common than your standard DDoS attack, the end-goal is essentially the same: Render the target system or service unusable. While exploitation is unlikely, a successful attack could be very damaging. May’s Patch Tuesday update from Microsoft corrects this issue by changing how TLS key exchange validates messages.
CVE-2020-1058 and CVE-2020-1060 are both remote code execution vulnerabilities found in the way VBScript engine handles objects in memory. There are multiple ways in which attackers can seek to exploit these vulnerabilities, and while not critically rated, it is very possible we’ll see exploitation in the wild. If successful, a malicious actor can use these vulnerabilities to gain control of the victim system within the context of the current user -- potentially allowing them to see, view or change data, install programs or create new accounts.
Microsoft’s security updates correct these issues by changing how the scripting engine handles objects in memory.
Other Security Updates for May
This month, Adobe has released security updates for Acrobat and Reader, as well as Adobe DNG SDK. The Acrobat and Reader update comes with 24 security updates and the DNG SDK update features 12 fixes. Both updates are rated as critical, with arbitrary code execution vulnerabilities found in both.
As a third-party application, Adobe may get neglected in your patching routine and vulnerabilities may start to accumulate. While the scope of an arbitrary code execution attack may be limited to the privileges of the target process, these attacks can be combined with other exploits -- such as privilege escalation -- to increase potency and seize full control of the victim device or system.
Earlier in May, Mozilla also released security updates for multiple versions of its Firefox web browsers, including Firefox for iOS 25, Firefox ESR 68.8 and Firefox 76. Mozilla also released a security update for Thunderbird 68.8.0. All of these updates are rated critical, except for the iOS 25 update, which is rated important.
Mozilla’s updates for Firefox ESR 68.8 and Firefox 76 fix 7 and 11 vulnerabilities, respectively, while the update for Thunderbird resolves half a dozen security bugs. We can all be grateful for the fact that the updates from Adobe and Mozilla are fairly light this month.
While many organizations have faced significant changes in the last few months, adhering to patch management best practices is integral to overall cyber security. Whether your employees are remote or in-house, patching regularly and quickly is necessary for minimizing your organization’s attack surface.
About Automox Automated Patch Management
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, macOS, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.