Upcoming Webinar
Cayosoft Shows How Forest Recovery Tech Addresses Survey Issues
Join this webinar and not only learn about what your peers are doing, but also learn about a new patent-pending modern approach to AD forest recovery from Cayosoft.
New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

Patch Tuesday – June 2020

This month, Microsoft addresses a record 129 CVEs. But the good news is that there are no zero-days to worry about.

Windows 10 and Windows Server

There are 5 critical remote code execution (RCE) flaws patched this month. A bug in the Windows Graphics Device Interface (GDI) could let an attacker take control of affected systems. Microsoft says that users whose accounts have fewer rights are less impacted than local administrators. This flaw could be exploited using a specially crafted website or document. Similar critical RCE bugs patched in Windows fix exploits in Microsoft Windows OLE, .LNK file processing, Windows Shell, and cabinet files.

Legacy EdgeHTML gets 2 critical RCE patches. One in the way ChakraCore handles objects in memory. And the second is a memory corruption vulnerability. Both bugs could let an attacker run arbitrary code with the same rights as the logged in user. So, local administrators are more likely to be impacted on affected systems. Don’t forget that even if you install the new Chromium-based Edge browser, legacy EdgeHTML doesn’t get uninstalled and it needs to be patched.

Similarly, there are 4 critical RCEs patched for Internet Explorer 11. Including the same memory corruption bug fixed for EdgeHTML. Additionally, the remaining bugs are all memory corruption issues with VBScript, potentially allowing an attacker to run arbitrary code in the context of the logged in user. Another reason why users shouldn’t log in with an administrator account.

Server Message Block (SMB) flaws

Following on from SMBGhost, which hackers are now actively exploiting but was patched in an out-of-band update in March, Microsoft plugs another three SMB holes this month. Two are in SMB 3.1.1 and they are likely to be exploited according to Microsoft. The first is a denial-of-service bug and the second is an information disclosure flaw. Both could be exploited remotely by an authenticated user.

The third SMB issue is an RCE flaw in the way SMBv1 handles requests. An authenticated attacker could send a specially crafted packet to an SMBv1 server. But unlike EternalBlue, the flaw used by WannaCry, this latest SMBv1 bug only works if the attacker can authenticate on the server. Interestingly, Microsoft has provided a fix for Windows 7 and Windows Server 2008, both of which are no longer supported.

SMBv1 is a legacy protocol and Microsoft recommends that you disable it in your organization if it isn’t used. You can find more information on Microsoft’s website here about removing SMBv1. Starting in Windows 10 Enterprise and Education, and Windows Server version 1709, assuming a system wasn’t upgraded from a previous version of Windows, SMBv1 is not installed by default. Windows 10 Home and Professional still have the SMBv1 client installed by default after a clean install. But if it isn’t used for 15 days, it is automatically removed.

For more information on default SMBv1 behavior, check out Microsoft’s website here.

Known issues

Microsoft says that this month’s cumulative update for Windows 10 might cause LTE modems to stop working on some systems.

Adobe Flash Player

In a separate update for Adobe Flash Player (KB4561600) being pushed out via Windows Update, Adobe and Microsoft are addressing a critical vulnerability that could let an attacker run arbitrary code in the context of the logged in user.

Microsoft SharePoint, Exchange, and SQL Server

SharePoint Server 2010, 2013, 2016, and 2019 all get an update for a critical RCE flaw where the server doesn’t properly identify and filter unsafe ASP.NET web controls. This bug could be exploited by an authenticated attacker using a specially crafted page to perform actions in the context of the SharePoint application pool process.

Microsoft Office

Finally, Microsoft Office gets a security fix for Outlook where it may not enforce settings correctly. An attacker could use the flaw to load remote images and reveal the IP address of the affected system. A user would need to open a specially crafted image for this bug to be exploited.

That’s it until next month.

by Russell Smith
Jun 10, 2020

Editorial Director at Petri IT Knowledgebase. Russell has more than 20 years' experience working in IT. From small business to large government IT infrastructure projects. Russell started his writing career for Windows IT Pro magazine in the early...

What is a Roaming User Profile on Windows?

Sep 1, 2023
Oct 24, 2023
Microsoft to Release Windows 11 LTSC in the Second Half of 2024

Apr 28, 2023
How to Configure Windows LAPS in an Azure Active Directory Scenario

May 3, 2023
Jul 17, 2023

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.