The last salvo of patches from Microsoft for its systems and software for its Patch Tuesday of June 2020 fills 129 vulnerabilities including 11 critical ones. None are currently exploited.
A good harvest of patches for the last tuesday patch. Microsoft announced as usual the second Tuesday of the month, in this case June 9, its salvo of patches to correct vulnerabilities in its software and systems. This month, 129 loopholes are filled, including 11 critical and 118 classified as important. Note that none of the corrected CVEs have been exploited. The fixes concern in particular IE, Edge, ChakraCore, Office and Microsoft Office Services and Web Apps, Windows Defender, Microsoft Dynamics, SharePoint, Visual Studio, Azure DevOps, Microsoft Apps for Android …
“A remote code execution vulnerability (CVE-2020-1181) is fixed in Sharepoint Server that would allow an authenticated user on a guest system to perform security actions for an application pool process.” Microsoft notes that exploitation of this vulnerability is less likely, but these fixes should always be evaluated for all SharePoint servers, “said Animesh Jain, product manager at Qualys.
Networked machines not connected to the Internet at risk
Among the multiple flaws patched, we find the CVE-2020-1299 which fixes a problem of execution of remote code relative to the file extension under Microsoft Windows used for the shortcuts of LNK files. “An attacker could use this vulnerability to obtain code execution by processing an compromised .LNK file by an affected system. These types of files are often placed on a USB key in an attempt to attack networked machines not connected to the Internet, “said the team of researchers from the Zero Day initiative. Another corrected CVE-2020-1229 compromise allows an attacker to load trapped images via Microsoft Outlook in order to retrieve the IP address of the target system.
The CVE-2020-1300 and CVE-2020-1281 fix flaws related to Windows remote code execution via trapped CAB files, as well as in the Windows Object Linking & Embedding (OLE) component, respectively.