Microsoft released updates for several softwares to patch 129 vulnerabilities, 11 of whose severity was rated critical to system defenses.
Microsoft recently patched up a staggering 129 vulnerabilities in Windows 10 and supporting software applications. This June releaseOpens a new window is the fourth consecutive update Microsoft has issued for Windows 10, which has 18 more updates than its May releaseOpens a new window , making it the biggest update so far.
11 of the 129 vulnerabilities are deemed critical by the company. Microsoft Security Response Center defines critical vulnerabilities as those â€˜whose exploitation could allow code execution without user interaction. These scenarios include self-propagating malware (e.g. network worms), or unavoidable common use scenarios where code execution occurs without warnings or prompts. This could mean browsing to a web page or opening email.’
Microsoft announced updates for the following softwares along with Windows 10: Microsoft Edge (EdgeHTML-based), Microsoft Edge (Chromium-based) in IE Mode, Microsoft ChakraCore, Internet Explorer, Microsoft Office/Microsoft Office Services and Web Apps, Windows Defender, Microsoft Dynamics, Visual Studio, Azure DevOps, HoloLens, Adobe Flash Player, Microsoft Apps for Android, Windows App Store, System Center, Android App.
None of the vulnerabilities have been exploited so far, which is why it is advisable to system administrators as well as independent users to update their systems, either automatically or download them manuallyOpens a new window from the Microsoft Security Update Catalog.
Of the 11 critical vulnerability patches, three for Microsoft Server Message Block were deemed with the exploitation more likely rating by Microsoft. These are CVE-2020-1206Opens a new window for SMBv3, which remotely leaks kernel memory, discovered while studyingOpens a new window CVE-2020-0796Opens a new window functions; CVE-2020-1301Opens a new window for SMBv1, which if left exposed can be exploited by a ransomware; and CVE-2020-1284Opens a new window , a DoS vulnerability, also for SMBv3.
The CVE-2020-0796, otherwise known as SMBGhost has the potential to wreak havoc through wormable ransomware tendencies, in combination with CVE-2020-1301, can prove to be at par with 2017’s WannaCry attackOpens a new window .
Someone has created a no-auth RCE exploit for the SMBGhost vulnerability for Windows (CVE-2020-0796). This will be a really bad bug, leading to wormable malware, when baddies get it. The patch was released in March. Don’t let this be your Wannacry 2.0
â€” Angry Brandt (@threatresearch) June 4, 2020Opens a new window
The release also includes a patch (ADV200010Opens a new window /CVE-2020-9633Opens a new window ) for a critical Adobe Flash player remote code execution (RCE) flaw. The Flash player update is not available through windows distribution and can be found hereOpens a new window .
Other critical patches include CVE-2020-1213Opens a new window , CVE-2020-1216Opens a new window , CVE-2020-1260Opens a new window ; all for RCE vulnerabilities in VBScript, to access current user rights, which when an attacker got their hands on, could take control of the system. VBScript vulnerabilities were also deemed the exploitation more likely rating.
This is also the first time Microsoft released a vulnerability patch for Android. Named CVE-2020-1223Opens a new window , the update fixes an RCE flaw in Microsoft Word for Android.
A complete list of the vulnerability patches is available hereOpens a new window .