Microsoft has patched a monthly record 128 vulnerabilities — 11 of them deemed critical — with the worst bugs spanning SharePoint server, scripting engines, Windows, GDI+, OLE and LNK files.
While the overall numbers are high (Microsoft has now patched 616 bugs this year already, nearly as many as 2019’s annual total of 665), none have been identified as being exploited in the wild.
Some 19 of the patches fix bugs in the Windows Kernel and Kernel-mode drivers, Trend Micro’s Zero Day Initiative noted.
This month’s “Patch Tuesday” includes a fix for a Remote Code Execution (RCE) vulnerability in Windows. CVE-2020-1300 allows an attacker to spoof a network printer and trick a user into installing a malicious cabinet file disguised as a printer driver. This was identified by Tencent Security Xuanwu Lab, and impacts a sweeping range of Windows versions, including 20 different versions of Windows Server.
Another RCE, CVE-2020-1301 exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests: “An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server”, warns Microsoft, giving it a “1” for exploitability, meaning it is “more likely”. (The attacker would need to be authenticated however, and send a specially crafted packet to a targeted SMBv1 server.)
As Gill Langston, “Head Security Nerd” at SolarWinds MSP notes: “SharePoint should be the focus of your patching efforts first. And if you have not yet disabled SMBv1 across your systems, that should be a focus this month. The good news: since version 1709 of Windows 10, SMBv1 was not installed by default on a new installation, unless you installed and enabled it yourself. If you are running Windows 7, here is another good reason to move to a supported (and more secure) operating system.”
An RCE, CVE-2020-1281, in Windows Object Linking and Embedding (OLE). This would allow an attacker to convince a user to open a specially crafted file or program form email or webpage, and executing malicious code on the host system. All Windows OLE installations should prioritized for patching.
Patches targeting Elevation of Privilege (EoP) bugs also took centre stage this month with a total of 70 being addressed.
Animesh Jain, Vulnerability Signature Product Manager at Qualys said: “The Browser, Scripting Engine, LNK files (CVE-2020-1299), GDI+(CVE-2020-1248) and OLE (CVE-2020-1281) should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for
Adobe meanwhile patched bugs in Experience Manager, Flash Player and Framemaker. The one critical vulnerability in Adobe Flash should be prioritised on any workstation-type systems.