The June 2020 Security Update Review

June is here, and it brings with it a record number of security patches from Microsoft, and a few from Adobe as well. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.

Adobe Patches for June 2020

Adobe’s release for June is on the small side with three bulletins correcting 10 CVEs in Adobe Flash, Experience Manager, and Framemaker. Two of the Framemaker CVEs came through the ZDI program. The update for Flash corrects a single, Critical-rated use-after-free bug that could allow remote code execution. The update for Framemaker is also rated Critical. It corrects a single memory corruption and two Out-Of-Bounds write bugs. The update for Experience Manager is rated Important and addresses six different bugs. Most of these bugs fall into the cross-site scripting category while two are Server-side request forgery (SSRF) bugs. None of the bugs patched by Adobe this month are listed as publicly known or under active attack at the time of release.

Update – June 16, 2020

On June 16, Adobe published an additional six bulletins addressing 19 additional CVEs in Adobe Audition, Premiere Rush, Premiere Pro, Illustrator, After Affects, and Campaign Classic. Eleven of these bugs were reported by ZDI Security Researcher Mat Powell. The update for Campaign Classic is rated Important in severity, while all of the other updates are rated Critical. None of these bugs are listed as being publicly known or under active attack at the time of release. Adobe did not say why these patches came a week after the normally scheduled update release.

Microsoft Patches for June 2020

For June, Microsoft released patches for 129 CVEs covering Microsoft Windows, Internet Explorer (IE), Microsoft Edge (EdgeHTML-based and Chromium-based in IE Mode), ChakraCore, Office and Microsoft Office Services and Web Apps, Windows Defender, Microsoft Dynamics, Visual Studio, Azure DevOps, and Microsoft Apps for Android. This is the fourth month in a row that Microsoft has released patches for more than 110 CVEs, and this is the highest number of CVEs ever released by Microsoft in a single month. This brings the total number of Microsoft patches released this year to 616 – just 49 shy of the total number of CVEs they addressed in all of 2017.

Of these 129 patches, 11 are rated Critical while 118 are rated Important in severity. Nine of these CVEs came through the ZDI program. None of the bugs being patched are listed by Microsoft as being publicly known or under active attack at the time of release. However, the ZDI did publish some details on CVE-2020-0915, CVE-2020-0916, and CVE-2020-0986 prior to today as they had exceeded our disclosure timeline.

Let’s take a closer look at some of the more interesting updates for this month, starting with an all too familiar bug type:

-       CVE-2020-1299 – LNK Remote Code Execution Vulnerability
This is the third LNK bug fixed this year, and the description reads just like the previous bugs. An attacker could use this vulnerability to get code execution by having an affected system process a specially crafted .LNK file. These types of files are often put on a USB drive in an attempt to bridge an air-gapped network. If you’re interested in how these types of bugs work, you can check out this blog, which details one of the previous bugs.

-       CVE-2020-1229 – Microsoft Outlook Security Feature Bypass Vulnerability
This bug could allow attackers to automatically load remote images – even from within the Preview Pane. While this bypass alone could just disclose the IP address of a target system, it’s not unheard of to get code execution through the processing of specially crafted images (see any GDI+ bug). Patches are available for Windows-based versions of Office, but the patches for Office 2016 for Mac and Office 2019 for Mac are not yet available.

-       CVE-2020-1300 – Windows Remote Code Execution Vulnerability
This patch corrects a vulnerability in the processing of cabinet files. An attacker could get code execution by convincing a user to open a specially crafted CAB file. They could also spoof a network printer and dupe a user into installing the specially crafted CAB file disguised as a printer driver. Users are often conditioned into trusting printer drivers when offered one, so it would not be surprising to see this get exploited.

-       CVE-2020-1281 – Windows OLE Remote Code Execution Vulnerability
This bug allows an attacker to exploit code on a target system if they can convince a user to open a specially crafted file or program. Since this involves OLE data structures, multiple file types could be used by the attacker. Considering this impacts every supported version of Windows put this one near the top of your test and deploy list.

Here’s the full list of CVEs released by Microsoft for June 2020.

Of the remaining Critical-rated patches, most are related to web browsers or some form of browse-and-own scenario. GDI+, Windows Shell, VBScript, and Browsers all receive Critical-rated patches. There’s also a Critical-rated SharePoint bug that would allow remote code execution if an authenticated user managed to create and invoke a specially crafted page on an affected version of SharePoint. We’ll have more information about this bug in an upcoming blog.

There are several Important-rated code execution vulnerabilities getting patches as well. The direst sounding involves code execution via SMB. However, unlike its SMBGhost cousin, this bug only impacts SMBv1 and requires authentication. If you’ve already disabled SMBv1, you don’t need to worry about this one. If you haven’t already disabled SMBv1, you really should. SMBv3 does receive patches this month, but only for information disclosure and Denial-of-Service (DoS) bugs. An unauthenticated attacker could shut down affected systems via an SMBv3 packet, but no code execution would be possible. There are also some code execution bugs being fixed in various Office components – at least the Windows version of Office. Similar to the previously mentioned Outlook bug, updates aren’t available for Office 2016 for Mac and Office 2019. Be on the lookout for those when they become available.

Moving on, patches targeting Elevation of Privilege (EoP) bugs take center stage this month with a total of 70 being addressed. A total of 19 of those 70 patches fix bugs in the Windows Kernel and Kernel-mode drivers. Other affected components include Windows Defender, the Runtime libraries, Wallet Service, and the Windows Installer. While bug in the Installer service sounds scary, an attacker would still need to log on to a system then run a malicious app to elevate privileges. The updates for Defender should require no action, as the engine keeps itself updated. You can manually install the patch or just verify the patch was installed.

Another interesting EoP involves OpenSSH for Windows. An authenticated attacker can modify the configuration settings on an affected system. If they can then convince a user to connect to a malicious OpenSSH server, they escalate privileges on the target client. Also interesting is a bug in the Lockscreen that could allow an attacker with casual physical access to load spotlight images from an insecure location. The update for Bluetooth sounds like it could be bad, but it wouldn’t allow an attack over Bluetooth itself. Instead, an attacker would need to log on to an affected system and run a specially crafted file.

There are a surprising number of spoofing bugs being addressed this month. The most notable is a patch for Microsoft Bing Search for Android. Since this is an Android app, the update is found on the Google Play store and must be manually installed. The Word for Android app also receives a patch to correct a code execution bug. This too must be manually updated through the Google Play store.

There are 14 different information disclosure bugs being patched this month, but only two - CVE-2020-1242 and CVE-2020-1296 – could potentially leak PII. All of the other bugs leak uninitialized memory. Rounding out this release are a half dozen cross-site scripting (XSS) bugs in SharePoint receiving patches.

Looking at the advisories for June, the first is Microsoft’s version of the aforementioned patch for Flash in Internet Explorer. The other is the update to the Windows Servicing Stack, which adds updates for all supported versions of Windows.

Looking Ahead

The next Patch Tuesday falls on July 14, and we’ll return with details and patch analysis then. Until then, stay safe, enjoy your patching, and may all your reboots be smooth and clean!