View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
June 10, 2020updated 21 Aug 2023 3:49pm

Microsoft Patches a Record 128 Vulnerabilities

Nothing caught being exploited in the wild (yet)...

By CBR Staff Writer

Microsoft has patched a monthly record 128 vulnerabilities —  11 of them deemed critical — with the worst bugs spanning SharePoint server, scripting engines, Windows, GDI+, OLE and LNK files.

While the overall numbers are high (Microsoft has now patched 616 bugs this year already, nearly as many as 2019’s annual total of 665), none have been identified as being exploited in the wild.

Some 19 of the patches fix bugs in the Windows Kernel and Kernel-mode drivers, Trend Micro’s Zero Day Initiative noted.

This month’s “Patch Tuesday” includes a fix for a Remote Code Execution (RCE) vulnerability in Windows. CVE-2020-1300 allows an attacker to spoof a network printer and trick a user into installing a malicious cabinet file disguised as a printer driver. This was identified by Tencent Security Xuanwu Lab, and impacts a sweeping range of Windows versions, including 20 different versions of Windows Server. 

Another RCE, CVE-2020-1301 exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests: “An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server”, warns Microsoft, giving it a “1” for exploitability, meaning it is “more likely”. (The attacker would need to be authenticated however, and send a specially crafted packet to a targeted SMBv1 server.)

As Gill Langston, “Head Security Nerd” at SolarWinds MSP notes: “SharePoint should be the focus of your patching efforts first. And if you have not yet disabled SMBv1 across your systems, that should be a focus this month.  The good news: since version 1709 of Windows 10, SMBv1 was not installed by default on a new installation, unless you installed and enabled it yourself.  If you are running Windows 7, here is another good reason to move to a supported (and more secure) operating system.”

An RCE, CVE-2020-1281, in Windows Object Linking and Embedding (OLE). This would allow an attacker to convince a user to open a specially crafted file or program form email or webpage, and executing malicious code on the host system. All Windows OLE installations should prioritized for patching.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Patches targeting Elevation of Privilege (EoP) bugs also took centre stage this month with a total of 70 being addressed.

Animesh Jain, Vulnerability Signature Product Manager at Qualys said: “The Browser, Scripting Engine, LNK files (CVE-2020-1299), GDI+(CVE-2020-1248) and OLE (CVE-2020-1281) should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for

Adobe meanwhile patched bugs in Experience ManagerFlash Player and Framemaker. The one critical vulnerability in Adobe Flash should be prioritised on any workstation-type systems.

Read more: Microsoft is now a cybersecurity titan. That could be a problem

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.