Site icon Sophos News

Microsoft knocks out 114 vulnerabilities in May, 2020 Patch Tuesday

(Editor’s note: This article was updated on May 13, 2020 to include additional detections in the table at the end of the post.)

In what has become a tradition, the second Tuesday of every month Microsoft releases security updates to Windows and other products. This month’s release fixes a total of 114 vulnerabilities, among which 17 are classified as Critical, and 93 as Important.

A total of 28 potential remote code execution (RCE) vulnerabilities have been fixed in Windows web components (such as the Edge or Internet Explorer browsers, or the ChakraCore Javascript engine), the Jet engine, and some Office components. Moreover, 56 local privilege escapation (LPE) bugs were also fixed, in the Windows kernel (mostly in Win32k, DirectX, or GDI) and also in some Windows services (such as Push Notification, Windows Error Reporting, and BITS).

As usual all the additional details can be found in the Security Update Guide Release Notes and users can download patches manually from the Microsoft Security Update Catalog.

Adobe usually times its updates to coincide with Microsoft, and this month release saw 21 bugs patched, all in their Acrobat Reader. With a criticality set as “Important,” all the bugs fixed classify as memory corruption vulnerabilities (null pointer, out-of-bound read, use-after-free) which can potentially lead to code execution on this victim’s host simply by opening a PDF document.

SophosLabs has investigated some of the more interesting vulnerabilities Microsoft fixed this month. Here are some highlights.

Windows Graphic Components

CVE-2020-1054,CVE-2020-1143
CVE-2020-0915,CVE-2020-0916,CVE-2020-0963,CVE-2020-1141,CVE-2020-1142,CVE-2020-1145
CVE-2020-1135,CVE-2020-1153

The graphic layers of Windows span many complex technologies, and therefore make up a huge attack surface. Attackers frequently look at these subsystems for vulnerabilities. This month, Microsoft fixed a total of 10 vulnerabilities affecting these core components, with risks going from simple kernel information leaks, up to local Elevation of Privilege (EoP).

One of the EoP vulnerabilities that stands out the most this month is CVE-2020-1054. This bug describes an out-of-bound write found in the syscall win32k!NtDrawIconEx,  which is responsible for drawing an icon into a specific handle of device context (HDC). Due to its very nature, any unprivileged Win32 application can invoke such a syscall, and therefore potentially elevate to SYSTEM.

In any case, one must bear in mind that, in order to be exploited, those bugs require access to a Windows graphical session, and also need to be able to execute code.

Web Browser memory corruption

CVE-2020-1037,CVE-2020-1056,CVE-2020-1059,CVE-2020-1096, CVE-2020-1062,CVE-2020-1092,CVE-2020-1093

ChakraCore, the JavaScript engine that powers the Edge web browser, suffers from multiple memory corruption  vulnerabilities.

If successfully exploited, these vulns could allow a remote attacker to execute code on the targeted host with the current user’s privilege simply by exposing a carefully crafted web page and either wait for a victim (or forcing them) to visit the page though XSS, CSRF, or OpenRedirect web vulnerabilities—or even through social engineering tricks.

Several vulnerabilities were also found in Internet Explorer 11 and VB scripting engine. Such vulnerabilities could also be exploited successfully as they rely on old (in some cases, unsupported) technologies, and cannot benefit from the protections modern browsers offer users.

Windows Services

CVE-2020-1084, CVE-2020-1123, CVE-2020-1137, CVE-2020-1081

Windows services are a great avenue for bugs, particularly (but not only) filesystem bugs – most notably by abusing symbolic links and junctions. As they require high privileges to run, successful exploitation of Windows services usually result in privilege escalation.

This month, Microsoft issued fixes for Windows services, such as:

have also been targeted, and their vulnerabilities fixed in the April, 2020 Patch Tuesday. Many more bugs in Windows services were fixed this month, any of which could have potentially resulted in EoP. However, the company provided us with no technical details.

Although no vulnerability was reported as exploited in the wild, many vulnerabilities are rated as very likely to be exploited. Therefore, the simple precaution principle would dictate to patch as soon as possible, which is, regardless of any other layer of protection, always the best remediation.

How is Sophos responding to these threats?

Here is a list of protection released by SophosLabs in response to this advisory to complement any existing protection and generic exploit mitigation capabilities in our products.

CVE

SAV

IPS
CVE-2020-1058 Exp/20201058-A SID:90001093
CVE-2020-1060 Exp/20201060-A SID:90001094
CVE-2020-1062 SID:90001095
CVE-2020-1135 Exp/20201135-A
CVE-2020-1153 SID:35483

 

How long does it take to have Sophos detection in place?

We aim to add detection to critical issues based on the type and nature of the vulnerabilities as soon as possible. In many cases, existing detections will catch exploit attempts without the need for updates.

What if the vulnerability/0-day you’re looking for is not listed here?

If we haven’t released an update for a specific exploit, the most likely reason is that we did not receive the data that shows how the exploit works in the real world. As many of this month’s exploits were crafted in a lab and have not been seen in the wild, nobody has enough information (yet) about how criminals would, hypothetically, exploit any given vulnerability. If or when we receive information about real attacks, we will create new detections, as needed.

Exit mobile version