Microsoft released the June 2020 Security Updates that includes 128 unique vulnerability fixes, 11 of those rated critical. In addition, Adobe patched a Critical vulnerability in Adobe Flash.
In all, the Microsoft security updates address vulnerabilities in the following products:
- Adobe Flash Player
- Android App
- Azure DevOps
- Internet Explorer
- Microsoft Apps for Android
- Microsoft ChakraCore
- Microsoft Dynamics
- Microsoft Edge (Chromium-based) in IE Mode
- Microsoft Edge (EdgeHTML-based)
- Microsoft Office and Microsoft Office Services and Web Apps
- Microsoft Windows
- System Center
- Visual Studio
- Windows App Store
- Windows Defender.
Microsoft has provided patches for each of the vulnerabilities and summarized them in the June 2020 Security Updates Release Notes.
VBScript RCE vulnerabilities
Three of the 11 Critical vulnerabilities are VBScript remote code execution (RCE) bugs.
Those Critical vulnerabilities (CVE-2020-1213, CVE-2020-1216 and CVE-2020-1260) each exists in the way the VBScript engine handles objects in memory.
Microsoft further confirmed that “exploitation is more likely” for each of the VBScript issues.
“The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” Microsoft warned in the advisories.
As a result, an attacker could take control of an affected system and “install programs; view, change, or delete data; or create new accounts with full user rights.”
Browser RCE vulnerability
Another one of the Critical issues is a Microsoft browser memory corruption vulnerability CVE-2020-1219 that could result in result in remote code execution.
“The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user,” Microsoft stated.
This issue affected multiple versions of Edge, Internet Explorer and ChakraCore.
SharePoint RCE vulnerability
In addition, another Critical bug is a Microsoft SharePoint Server RCE vulnerability CVE-2020-1181.
“A remote code execution vulnerability exists in Microsoft SharePoint Server when it fails to properly identify and filter unsafe ASP.Net web controls. An authenticated attacker who successfully exploited the vulnerability could use a specially crafted page to perform actions in the security context of the SharePoint application pool process,” Microsoft said.
Windows Shell RCE
Another RCE vulnerability CVE-2020-1286 exists when the Windows Shell does not properly validate file paths.
An attacker could exploit the vulnerability by tricking a user into opening up a specially crafted file via phishing email or a web-based attack.
The Windows Shell vulnerability impacts multiple versions of Windows 10, Windows Server and Windows Server 2019.
Other notable RCEs
Rounding out the remaining 5 Critical RCE vulnerabilities:
- CVE-2020-1073: Scripting Engine Memory Corruption Vulnerability
- CVE-2020-1248: GDI+ Remote Code Execution Vulnerability
- CVE-2020-1281: Windows OLE Remote Code Execution Vulnerability
- CVE-2020-1299: LNK Remote Code Execution Vulnerability
- CVE-2020-1300: Windows Remote Code Execution Vulnerability.
Organizations should prioritize all of these Critical RCE patches for remediation this month.
Furthermore, Microsoft also issued a Critical security update referring to new Adobe Security Bulletin APSB20-30.
The update addresses a Critical Adobe Flash vulnerability CVE-2020-9633 that could result in arbitrary code execution. The issue affects Flash Player running on multiple versions of Windows, macOS, Linux and Chrome OS.
Finally, Microsoft fixed over a hundred other vulnerabilities rated Important, Moderate or Low severity.
Readers can also check out more vulnerability and patch details in Microsoft’s Security Update Guide.