Application Security , Governance & Risk Management , Next-Generation Technologies & Secure Development

Microsoft Lists Critical Flaws That Need Urgent Patching

Patch Tuesday Update Highlights the Top Priority Fixes
Microsoft Lists Critical Flaws That Need Urgent Patching

Microsoft addressed vulnerabilities in a dozen of its software products as part of its Patch Tuesday update for May. And while none of the flaws are currently being exploited, several of the most critical vulnerabilities require immediate attention because they could allow an attacker to run arbitrary code, escalate privileges or gain control over a vulnerable device, Microsoft says.

See Also: Predictive Prioritization: How to Focus on the Vulnerabilities That Matter Most

Among the vulnerabilities addressed are those in Windows, Office, the Edge web browser, Visual Studio, SharePoint and the .NET framework. The update includes fixes for 16 vulnerabilities that are listed as "critical" and 95 labeled as "important.”

In April, Microsoft issued patches for three zero-day vulnerabilities, including two that affected the Adobe Type Manager Library in Windows that had been exploited by attackers (see: Microsoft Issues Patches for 3 Zero-Day Vulnerabilities).

But in the May update, "none of the bugs being patched are listed as being publicly known or under active attack at the time of release," Dustin Childs, a security analyst for Trend Micro's Zero Day Initiative, notes in a blog post. Nevertheless, he notes that several of the patches remedy critical vulnerabilities and specific flaws, so they should be applied as soon as possible.

Critical Patches

Some of the more noteworthy security flaws that Microsoft issued patches for this week include:

  • CVE-2020-1067: This remote code execution bug in Windows could allow an attacker to executive arbitrary code and escalate privileges within a device. The attacker needs a domain user account for the attack to succeed.
  • CVE-2020-1135: This flaw involves an issue in the Windows Graphics Component, where a logged-on user can take over a system by running a specially designed program with malicious code. This would then allow hackers to escalate their privileges from user to system administrator and take over a device.
  • CVE-2020-1118: This flaw in the Windows Transport Layer could allow a remote attacker to abnormally reboot a device, which could then cause a denial-of-service attack.
  • CVE-2020-1071: This vulnerability in Windows Remote Access Common Dialog provides remote access to a Windows device. The flaw could allow an attacker to run arbitrary code and escalate privileges. But Childs' blog notes that the hacker would need physical access to make this exploit work.

Microsoft also issued patches for three flaws in its SharePoint platform that, if exploited, would also lead to remote code execution vulnerabilities. Other critical fixes includes those for bugs affecting the MSHTML Engine in Internet Explorer, the Jet Database Engine as well as the Edge web browser.

Last month, Microsoft addressed a critical vulnerability in its Teams collaboration platform that could have allowed an attacker to take over an organization's accounts through the use of a weaponized GIF image (see: Microsoft Patches Teams Vulnerability).

Breaking 100 Again

May's Patch Tuesday marked the third month in a row that Microsoft issued over 100 patches for its software products. In March, the company announced 115 bug fixes followed by another 113 in April.

"We’ll see if they maintain that pace throughout the year," Trend Micro's Childs notes.

As the COVID-19 pandemic began to spread earlier this year, Microsoft announced that it would pause all non-essential Windows updates. But the company is still issuing security updates that are essential, especially as employees work from home and security and IT needs focus on managing these remote work forces (see: Microsoft to Pause Non-Essential Software Updates).


About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the GovInfoSecurity.com media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and DevOps.com.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.