Microsoft fixes 111 flaws on Patch Day

Google

Microsoft Security Patches 2020

Microsoft is closing more than 100 vulnerabilities for the third time in a row - in February it was 99. The 16 security vulnerabilities identified as critical concern Windows, Internet Explorer, Edge (Edge-HTML), Office and Visual Studio Code. Microsoft classifies the remaining 95 gaps as a high risk. None of the vulnerabilities has already been exploited or was already publicly known in advance. Details on all vulnerabilities can be found in the Security Update Guide. The bloggers at Trend Micro ZDI, for example, prepare the topic of Patch Day in a less detailed and clearer way.

Internet Explorer (IE)

The new cumulative security update (4556798) for Internet Explorer 11 fixes seven vulnerabilities in the browser’s classic car. Since February 11, 2020, Microsoft has only provided updates for IE 11. If you use Windows Server 2012 or Windows Embedded 8, you can install an update that raises the IE 10 to version 11.

Edge

In the IE successor Edge (Edgehtml-based), Microsoft fixed five vulnerabilities in April, three of which Microsoft considers critical. There are no common gaps with IE this time. The new Generation Edge (Chromium-based) receives security updates outside the update Tuesday via the browser’s built-in update feature. The latest version 81.0.416.72 was released by Microsoft on May 7. Edge (Chromium-based) is thus back to the same level as Google Chrome.

Office 

Microsoft has fixed 13 vulnerabilities in its Office product family this month. Microsoft classifies four of these vulnerabilities as critical, which affect all Sharepoints as they did in April. An Excel vulnerability (CVE-2020-0901) could allow an attacker to inject arbitrary code using specially crafted Office documents and execute it with user privileges.

Windows

Most of the vulnerabilities, 78 vulnerabilities, are distributed across the various Windows versions (8.1 and later), for which Microsoft still offers security updates. Windows 7 and Server 2008 R2 are still mentioned in the security reports, but updates are only available to organizations participating in the paid ESU program.

Microsoft classifies five Windows vulnerabilities as critical.

As in the previous month, Microsoft has plugged three critical vulnerabilities (CVE-2020-1028/-1126/-1136) in the Windows Media Foundation. Two only affect newer Windows versions, i.e.Windows 10 and the associated server versions, the latter also all other vulnerabilities. In the color management of Windows 10 and server is also a critically identified vulnerability.

The CVE-2020-1135 vulnerability in the Windows 10 graphics component and associated server output allows attackers to gain higher permissions. Richard Zhu and Amat Cama demonstrated this at the Pwn2own hacker competition in March. All they needed was a prepared PDF file and a use-after-free vulnerability in Acrobat Reader to give their code system privileges. Microsoft classifies this use-after-free vulnerability in Windows as a high risk. CVE-2020-1153, on the other hand, is critical and affects the same component in all Windows versions. It can allow an attacker to inject and execute arbitrary code. This requires a specially prepared file, presumably an image or video file, which a user would have to open.

Extended Security Updates (ESU)

Companies and organizations participating in Microsoft’s paid ESU program to back up systems running Windows 7 or Server 2008 R2 will receive updates this month that fill 33 gaps. Among them are none that only affect Windows 7 and/or Server 2008 R2. The only critical vulnerability is the just mentioned CVE-2020-1153.

Visual Studio Code

Two vulnerabilities affect the Python extension of Visual Studio Code. CVE-2020-1192 classifies Microsoft as critical, CVE-2020-1171 only as high risk. But both vulnerabilities can allow an attacker to inject and execute code.

In May, there is again a new Windows tool for removing malicious software, which now appears quarterly. The next regular Patch Day is June 9th.