Microsoft released its June 2020 Patch Tuesday software security update to fix a total of 129 newly discovered CVEs (Common Vulnerabilities and Exposures) affecting various versions of Windows operating systems and related software products.
The security patches apply to various Microsoft products including Microsoft Windows, Microsoft Edge, ChakraCore, Internet Explorer, Microsoft Office, Microsoft Office Services and Web Apps, Windows Defender, Microsoft Dynamics, Visual Studio, Azure DevOps, Adobe Flash Player, and Microsoft Apps for Android, according to Microsoft’s advisory.
The “June 2020 Patch Tuesday” is Microsoft’s biggest patch Tuesday security update ever. It released 115 patches in March 2020, and 113 fixes in April 2020. Of 129 vulnerabilities, the tech giant classified 11 as critical, 109 as important, 7 as moderate, and 2 as low in risk severity.
Critical Vulnerabilities
Microsoft stated that three critical vulnerabilities exist in Microsoft Edge and VBScript engine that could allow hackers to perform remote code execution by tricking a user into visiting a maliciously crafted web site. These vulnerabilities include:
- CVE-2020-1219 – Microsoft Browser Memory Corruption Vulnerability
- CVE-2020-1216 | VBScript Remote Code Execution Vulnerability
- CVE-2020-1216 | VBScript Remote Code Execution Vulnerability
Other critical vulnerabilities would require an attacker to trick users into downloading specially designed malicious files. If abused, these vulnerabilities could allow an attacker to execute commands on the targeted device with the same privileges as the user. These include:
- CVE-2020-1248 – GDI+ Remote Code Execution Vulnerability
- CVE-2020-1281 – Windows OLE Remote Code Execution Vulnerability
- CVE-2020-1299 – LNK Remote Code Execution Vulnerability
Satnam Narang, Staff Research Engineer at Tenable said, “Microsoft continues its streak of releasing patches for over 100 CVEs, as June 2020s Patch Tuesday release contains fixes for 129 CVEs, 11 of which are rated as critical. For the second month in a row, none of the vulnerabilities patched this month were exploited in the wild nor publicly disclosed. Most notably in this month’s release are a trio of fixes for vulnerabilities in Microsoft Server Message Block (SMB), two of which reside in SMB version 3.1.1 (SMBv3),”
Microsoft urged system administrators and users to install these updates as soon as possible to protect their devices from privilege escalation and spoofing attacks. “These updates are intended to help our customers keep their computers up-to-date. We recommend that you install all updates that apply to you,” Microsoft said.
