View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
May 13, 2020updated 14 May 2020 9:21am

Microsoft Patches 111 Bugs, Including These Critical SharePoint Vulnerabilities

"If your prioritisation stops at vendor severity or even CVSS scores above a certain level, you may want to reassess your metrics"

By CBR Staff Writer

Microsoft has patched a fresh batch of critical bugs in its SharePoint platform — a collaboration and document management portal — including two remote code execution (RCE) vulnerabilities potentially allowing a hacker sustained access to critical business networks if left unpatched.

Two of the Sharepoint bugs were found by security researcher Ivan Vagunin, who told Computer Business Review that the main attack vector was against multi-tenant farms (e.g. SharePoint Online) where you can “register a tenant… then exploit [the] bug to run code in the context of privileged account (that has access to other tenants) to get data from neighbor tenants.”

The attacker would need to upload a malicious application package to exploit the vulnerabilities and have existing privileges to exploit the bugs – CVE-2020-1023/1024. Vagunin told us: “If you just have a limited access (e.g. Reader role) to some SharePoint farm, it’s unlikely that you can exploit it”.

He added: “Any RCE for SharePoint Online is critical because code is executed in the context where you can get all data from the farm”

The bugs were among 111 patched by Microsoft (16 rated as critical) as part of its monthly Patch Tuesday cycle of updates; for a change there were no publicly disclosed or exploited vulnerabilities this month.

Todd Schell, Senior Product Manager – Security at Ivanti noted that most of the critical vulnerabilities are resolved by the OS and browser updates, but added that “if you look at the Exploitability Assessment, a number of Important CVEs are concerning. 10 of this month’s 111 CVEs carried exploit ratings of one meaning exploitation is more likely for this vulnerability.

“What is interesting, and often overlooked, is that seven of the 10 CVEs at higher risk of exploit are only rated as important. It is not uncommon to look at the critical vulnerabilities as the most concerning, but many of the vulnerabilities that end up being exploited are actually the ones rated as important. If your prioritisation stops at vendor severity or even CVSS scores above a certain level, you may want to reassess your metrics.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Adobe meanwhile issued patches on Tuesday covering multiple vulnerabilities in Acrobat/Reader and DNG SDK. Adobe also released patches out-of-band on April 28th covering Critical vulnerabilities in BridgeIllustrator, and Magento. The patches for Magento are Priority 2, while the others are Priority 3.

Read this: Software Patch Management: Tips, Tricks and Stern Warnings


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.