The May 2020 Security Update Review
May 12, 2020 | Dustin ChildsMay is upon us, and with it brings another bumper crop of security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.
Adobe Patches for May 2020
The Adobe updates for May are just two patches covering 36 CVEs. Two of these CVEs were reported through the ZDI program. The patch for Adobe Acrobat and Reader covers 24 Critical and Important-rated CVEs that mostly consist of Out-of-Bounds (OOB) Reads and Writes. There are also some buffer overflows, memory corruptions, stack exhaustion, and Use-After-Free (UAF) bugs fixed. The patch for the Adobe DNG Software Development Kit (SDK) fixes four Critical-rated heap overflows and eight Important-rated OOB Reads. The overflows could lead to code execution, so if you use the DNG format for your digital photography, definitely make sure you are patched. None of these bugs are listed as publicly known or under active attack at the time of release.
Microsoft Patches for May 2020
For May, Microsoft released patches for 111 CVEs covering Microsoft Windows, Microsoft Edge (EdgeHTML-based), ChakraCore, Internet Explorer, Microsoft Office, and Microsoft Office Services and Web Apps, Visual Studio, Microsoft Dynamics, .NET Framework, .NET Core, and Power BI. Of these 111 CVEs, 16 are rated Critical and 95 are rated Important in severity. Eleven of these CVEs were reported through the ZDI program. None of the bugs being patched are listed as being publicly known or under active attack at the time of release. That makes three months in a row that Microsoft has released patches for more than 110 CVEs. We’ll see if they maintain that pace throughout the year.
Let’s take a closer look at some of the more interesting updates for this month, starting with a bug that requires physical access:
- CVE-2020-1071 – Windows Remote Access Common Dialog Elevation of Privilege Vulnerability
Law #3 of the 10 Immutable Laws of Security states, “If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.” But what if the physical access is something other than unrestricted? That seems to be the case here. An attacker would need to be at the system and boot it to the login screen. If they can do that, they could leverage a bug in the Remote Access Common Dialog to run arbitrary code with elevated privileges. This bug will be much more critical for places with open offices where casual physical access is common.
- CVE-2020-1135 - Windows Graphics Component Elevation of Privilege Vulnerability
While Pwn2Own may have been virtual this year, the bugs demonstrated certainly were not. This bug from the Fluoroacetate duo of Richard Zhu and Amat Cama allows a logged-on user to take over a system by running a specially crafted program. They leveraged a Use-After-Free (UAF) bug in Windows to escalate from a regular user to SYSTEM.
- CVE-2020-1067 - Windows Remote Code Execution Vulnerability
This patch corrects an RCE bug in the Windows OS that could allow an attacker to execute arbitrary code with elevated permissions on affected systems. The only thing keeping this from being Critical is the fact that the attacker needs a domain user account for their specially crafted request to succeed. This makes the bug a prime target for insider threats, as well as penetration testers looking to expand their foothold in a target enterprise.
- CVE-2020-1118 - Microsoft Windows Transport Layer Security Denial of Service Vulnerability
This patch addresses a bug that allows a remote, unauthenticated attacker to abnormally reboot, resulting in a denial-of-service condition. A NULL pointer dereference vulnerability exists in the Windows implementation of the Diffie-Hellman protocol. An attacker can exploit this vulnerability by sending a malicious Client Key Exchange message during a TLS handshake. The vulnerability affects both TLS clients and TLS servers, so just about any system could be shut down by an attacker. Either way, successful exploitation will cause the lsass.exe process to terminate.
Here’s the full list of CVEs released by Microsoft for May 2020.
| CVE | Title | Severity | Public | Exploited | XI - Latest | XI - Older | Type |
| CVE-2020-1037 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2020-1062 | Internet Explorer Memory Corruption Vulnerability | Critical | No | No | 1 | 1 | RCE |
| CVE-2020-1028 | Media Foundation Memory Corruption Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2020-1126 | Media Foundation Memory Corruption Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2020-1136 | Media Foundation Memory Corruption Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2020-1117 | Microsoft Color Management Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2020-1056 | Microsoft Edge Elevation of Privilege Vulnerability | Critical | No | No | 2 | 2 | EoP |
| CVE-2020-1153 | Microsoft Graphics Components Remote Code Execution Vulnerability | Critical | No | No | 2 | 1 | RCE |
| CVE-2020-1023 | Microsoft SharePoint Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2020-1024 | Microsoft SharePoint Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2020-1102 | Microsoft SharePoint Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2020-1069 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2020-1064 | MSHTML Engine Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2020-1065 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2020-1093 | VBScript Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2020-1192 | Visual Studio Code Python Extension Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2020-1108 | .NET Core Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
| CVE-2020-1066 | .NET Framework Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1161 | ASP.NET Core Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
| CVE-2020-1084 | Connected User Experiences and Telemetry Service Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
| CVE-2020-1123 | Connected User Experiences and Telemetry Service Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
| CVE-2020-1140 | DirectX Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1092 | Internet Explorer Memory Corruption Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2020-1051 | Jet Database Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2020-1174 | Jet Database Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2020-1175 | Jet Database Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2020-1176 | Jet Database Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2020-1150 | Media Foundation Memory Corruption Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2020-1055 | Microsoft Active Directory Federation Services Cross-Site Scripting Vulnerability | Important | No | No | 2 | 2 | XSS |
| CVE-2020-1063 | Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability | Important | No | No | 2 | 2 | XSS |
| CVE-2020-1096 | Microsoft Edge PDF Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2020-1059 | Microsoft Edge Spoofing Vulnerability | Important | No | No | 2 | 2 | Spoof |
| CVE-2020-0901 | Microsoft Excel Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2020-1099 | Microsoft Office SharePoint XSS Vulnerability | Important | No | No | 2 | 2 | XSS |
| CVE-2020-1100 | Microsoft Office SharePoint XSS Vulnerability | Important | No | No | 2 | 2 | XSS |
| CVE-2020-1101 | Microsoft Office SharePoint XSS Vulnerability | Important | No | No | 2 | 2 | XSS |
| CVE-2020-1106 | Microsoft Office SharePoint XSS Vulnerability | Important | No | No | 2 | 2 | XSS |
| CVE-2020-1173 | Microsoft Power BI Report Server Spoofing Vulnerability | Important | No | No | 2 | 2 | Spoof |
| CVE-2020-1061 | Microsoft Script Runtime Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2020-1103 | Microsoft SharePoint Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-1104 | Microsoft SharePoint Spoofing Vulnerability | Important | No | No | 2 | 2 | Spoof |
| CVE-2020-1105 | Microsoft SharePoint Spoofing Vulnerability | Important | No | No | 2 | 2 | Spoof |
| CVE-2020-1107 | Microsoft SharePoint Spoofing Vulnerability | Important | No | No | 2 | 2 | Spoof |
| CVE-2020-1010 | Microsoft Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1068 | Microsoft Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1079 | Microsoft Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1118 | Microsoft Windows Transport Layer Security Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
| CVE-2020-1035 | VBScript Remote Code Execution Vulnerability | Important | No | No | 1 | 1 | RCE |
| CVE-2020-1058 | VBScript Remote Code Execution Vulnerability | Important | No | No | 1 | 1 | RCE |
| CVE-2020-1060 | VBScript Remote Code Execution Vulnerability | Important | No | No | 1 | 1 | RCE |
| CVE-2020-1171 | Visual Studio Code Python Extension Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2020-1054 | Win32k Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
| CVE-2020-1143 | Win32k Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
| CVE-2020-1112 | Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1111 | Windows Clipboard Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1121 | Windows Clipboard Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1165 | Windows Clipboard Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1166 | Windows Clipboard Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1154 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1116 | Windows CSRSS Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-1076 | Windows Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
| CVE-2020-1021 | Windows Error Reporting Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1082 | Windows Error Reporting Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1088 | Windows Error Reporting Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1132 | Windows Error Reporting Manager Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1142 | Windows GDI Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-0963 | Windows GDI Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-1141 | Windows GDI Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-1145 | Windows GDI Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-1179 | Windows GDI Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-1135 | Windows Graphics Component Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
| CVE-2020-0909 | Windows Hyper-V Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
| CVE-2020-1078 | Windows Installer Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1087 | Windows Kernel Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1114 | Windows Kernel Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1072 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-1048 | Windows Print Spooler Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1070 | Windows Print Spooler Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1081 | Windows Printer Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1137 | Windows Push Notification Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1071 | Windows Remote Access Common Dialog Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1067 | Windows Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1077 | Windows Runtime Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1086 | Windows Runtime Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1090 | Windows Runtime Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1125 | Windows Runtime Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1139 | Windows Runtime Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1149 | Windows Runtime Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1151 | Windows Runtime Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1155 | Windows Runtime Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1156 | Windows Runtime Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1157 | Windows Runtime Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1158 | Windows Runtime Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1164 | Windows Runtime Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1124 | Windows State Repository Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1131 | Windows State Repository Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1134 | Windows State Repository Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1144 | Windows State Repository Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1184 | Windows State Repository Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1185 | Windows State Repository Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1186 | Windows State Repository Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1187 | Windows State Repository Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1188 | Windows State Repository Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1189 | Windows State Repository Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1190 | Windows State Repository Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1191 | Windows State Repository Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1138 | Windows Storage Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1075 | Windows Subsystem for Linux Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-1113 | Windows Task Scheduler Security Feature Bypass Vulnerability | Important | No | No | 2 | 2 | SFB |
| CVE-2020-1109 | Windows Update Stack Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1110 | Windows Update Stack Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
Of the remaining Critical-rated patches, most are related to web browsers or some form of browse-and-own scenario. Chakra Core, IE, and EdgeHTML all receive Critical-rated updates. There are also several Media Foundation Memory Corruption bugs being fixed, including several reported ZDI’s own Hossein Lotfi. Critical SharePoint bugs remain a focus with four more released this month.
Users of the Visual Studio Code Python Extension should take note of the two patches released this month. One is rated Critical while the other is rated Important. There’s no indication as to why one is more severe than the other, so you should treat them both as Critical. Rounding out the Critical patches is one to fix a local privilege escalation bug in EdgeHTML. These types of elevation of privilege bugs are typically Important, so it’s not clear why this one is rated Critical. Still, the bug could allow attackers to circumvent cross-domain policies within Edge, so definitely don’t take this one lightly.
Moving on to the Important-rated patches, the Security Feature Bypass in the Windows Task Scheduler stands out. A man-in-the-middle could run arbitrary code as an administrator by sending a specially crafted RPC message to an affected system. Although you would need to be close to the target to succeed, RCE as Admin is always intriguing. There are 13 other Important-rated RCE bugs getting fixed this month. Most of these involve some form of user interaction, but others, like CVE-2020-1060, are still browse-and-own.
The real bulk of this month’s release comes in the form of Important-rated EoP bugs. There are a total of 56 of these types of fixes in the May release, primarily impacting various Windows components. Patches for the Windows Runtime and the Windows State Repository Service component account for 23 of these fixes. This high volume of EoP vulnerabilities mirrors the types of bugs we’re seeing submitted to the ZDI program.
In addition to the previously mentioned RCE bugs in SharePoint, there are several cross-site scripting (XSS) and Spoofing bugs that look surprisingly similar to XSS bugs being fixed this month. One spoofing fix for the Microsoft Power BI Report Server appears to have been fixed back in September 2019. If you haven’t updated since then, you definitely should.
This month’s release is rounded about by a handful of information disclosure bugs in the kernel, graphics drivers, and the CSRSS subsystem. Only the bug in SharePoint could allow an attacker to read from the file system. Everything else just exposes memory layout. Finally, there are seven Denial-of-Service (DoS) bugs receiving patches. Besides the previously mentioned TLS bug, the patches for Hyper-V and .NET Core are likely the most impactful.
There are no new advisories for this month. There is an update to the Windows Servicing Stack, which adds updates for Windows Server 2008, Windows 7, and Windows Server 2008 R2 this month.
Looking Ahead
The next Patch Tuesday falls on June 9, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!