Microsoft Issues June 2020 Security Updates Addressing Critical Vulnerabilities
Microsoft has announced the release of its software security updates for June 2020, which provide critical patches for 129 vulnerabilities found across various Windows operating systems and related products. This round of updates marks the third Patch Tuesday since the onset of the global COVID-19 pandemic, adding pressure on IT security teams who must navigate complex patch management without disrupting essential services during these challenging times.
Among the 129 vulnerabilities identified, 11 are classified as critical, all of which could facilitate remote code execution attacks. The majority of the remaining vulnerabilities, 118 in total, are deemed important and primarily involve privilege escalation and spoofing risks. This comprehensive update highlights the ongoing risk landscape for system administrators and millions of users.
Notably, Microsoft’s advisory indicates that, as of now, there are no indications that any of the zero-day vulnerabilities disclosed this month are currently being exploited by threat actors. Moreover, no specific details about these vulnerabilities were publicly available prior to today’s release, which should offer some reassurance to users as they implement the necessary updates.
Among the vulnerabilities is a significant information disclosure flaw in the Server Message Block version 3.1.1 (SMBv3) protocol, identified as CVE-2020-1206. Research indicates that this flaw may be leveraged in conjunction with the previously disclosed SMBGhost vulnerability (CVE-2020-0796), potentially allowing attackers to execute harmful remote code. Additional details regarding this critical issue can be found in the advisory.
Three vulnerabilities impacting the VBScript engine (CVE-2020-1213, CVE-2020-1216, and CVE-2020-1260) are critical as well. These flaws relate to the engine’s handling of objects in memory, granting an attacker the capability to execute arbitrary code in the context of the current user. Given the patterns of exploitation observed in past incidents, Microsoft has flagged these as higher risk, potentially facilit working remotely through browsers, applications, or Microsoft Office documents that utilize the Internet Explorer rendering engine.
Another critical vulnerability pertains to how Windows manages Shortcut (.LNK) files (CVE-2020-1299). Failures in this handling can pave the way for remote code execution, posing serious risks of unauthorized access and data theft for targeted systems. Similar vulnerabilities have historically enabled threat actors to compromise user control over their systems.
Additionally, a vulnerability in the GDI+ component (CVE-2020-1248) has been discovered, allowing for remote code execution. Microsoft alerts that this issue can be exploited in concert with a separate critical security feature bypass affecting Microsoft Outlook (CVE-2020-1229). As highlighted in the advisory, an attacker could exploit this in a targeted email scenario, using specially crafted images that could reveal the system’s IP address to the attacker.
Among the updates is also a patch for a critical remote code execution vulnerability impacting Adobe Flash Player on Windows systems (CVE-2020-9633). In light of the significant threats these vulnerabilities present, immediate action to apply the latest security patches is highly advisable in order to safeguard systems against potential exploitation by malicious actors.
To install these critical security updates, Windows users should navigate to Start > Settings > Update & Security > Windows Update and select the option to check for updates. Ensuring that systems are up-to-date is crucial in maintaining cybersecurity hygiene and mitigating risks associated with these newly disclosed vulnerabilities.
As the cybersecurity landscape continues to evolve, staying informed and proactive in addressing vulnerabilities remains imperative for business owners and IT professionals alike.