Threat Research

In this month’s Patch Tuesday, a total of 128 security vulnerabilities have been patched in Microsoft products, a slight increase compared to the last few months. Only twelve of the vulnerabilities are rated “Critical.” None of the bugs have been found being exploited in the wild (yet).

In addition, a remote code execution vulnerability in Adobe’s Flash player software is also rated critical, and an update (not distributed through the Windows Update mechanism) was released today by Adobe for Flash, for Adobe Framemaker, and for the Adobe Experience Manager.

Preceding this month’s update was a fix for an Elevation of Privilege vulnerability in Edge Chromium. As is the case with the browser, based on Chrome, updates to Edge Chromium are distributed from within the browser, independent of Patch Tuesday releases, and don’t require a system restart.

As usual all the additional details can be found in the Security Update Guide Release Notes and users can download patches manually from the Microsoft Security Update Catalog if there’s a delay getting updates automatically.

Some words about this month’s most notable bug fixes:

Office Remote Code Execution

Microsoft Word, CVE-2020-1321

Microsoft Excel, CVE-2020-1225, CVE-2020-1226

Word for Android, CVE-2020-1223

Remote Code Execution vulnerabilities in the Office suite can lead to compromise of a system if the user, running an unpatched version of the software, is enticed to open a malicious document by an attacker, most commonly delivered by way of email.

While such bugs in Office software for Windows come a dime a dozen, this month marks the first time that a CVE has been assigned to the Android version of Word.

While Sophos is a member of Microsoft’s MAPP program, the company provided no details about the specifics of this vulnerability in advance of the patch release. The company’s official notification indicates that the software doesn’t properly handle “a specially crafted URL file” but isn’t clear exactly what that means. The very nature of a remote code execution bug implies that the presence of this vulnerability in an Android app puts users of the not-up-to-date version of Word for Android at risk of having their Android phone hacked simply by opening the wrong document.

The updated version of this app has been made available through Google’s Play Store. As of this publication, the most recent version of Word for Android was released on May 18, 2020 and is version number 16.0.12827.20140.

Windows Elevation of Privilege

A whopping 69 bugs, more than a half of this month’s total count, fall under the category of Elevation of Privilege (EoP) vulnerabilities. The bugs are present in a wide range of Windows components and related packages.

EoP vulnerabilities could permit an attacker with limited access to a Windows system to gain more control over it, typically allowing for “escaping” a low integrity or sandboxed process by exploiting such a vulnerability, and subsequently gaining unlimited permissions to the system.

The following components of Windows are notable for their inclusion in this month’s update:

  • Windows Kernel Elevation of Privilege: 15 CVEs
  • Win32k Elevation of Privilege: 6 CVEs
  • OpenSSH for Windows Elevation of Privilege, CVE-2020-1292
  • Windows Lockscreen Elevation of Prvilege, CVE-2020-1279

Windows Kernel Security Feature Bypass


On its own, this bug is harmless to a system. However, when exploited, it allows for circumventing a security feature present in the Windows kernel, leaving the system more vulnerable to Elevation of Privilege attacks.

The security feature in question is the NULL Pointer Dereference protection, which was introduced in Windows 8.

The NULL Pointer Dereference bug class was once commonly exploited to attack operating system kernels in order to achieve Elevation of Privilege. In modern operating systems, security features have been put in place to prevent the conditions required for the successful exploitation of NULL Pointer Dereference bugs, effectively making this bug class largely obsolete.

By exploiting CVE-2020-1241, an attacker can “resurrect” this bug class on modern Windows systems, and open up the opportunity for them to be exploited.

Update about the CVE-2020-0796 (SMBGhost) vulnerability

As we wrote in March, Microsoft issued an patch to fix this vulnerability which, if exploited, can create a method for malware to copy itself from machine to machine. We typically call this type of potentially runaway behavior a wormable exploit, and we’ve seen this kind of thing used by increasing numbers of criminals in the form of, for example, EternalBlue. It’s hard to overstate the potential for damage these kinds of bugs can cause in a short period of time, as evidenced by the WannaCry ransomware outbreak a little over three years ago.

At the time we published that analysis, no known exploit existed for SMBGhost, but the situation has changed. At least two security teams claim to have developed a method to exploit the SMBGhost bug, a situation which prompted the US government’s Cybersecurity & Infrastructure Security Agency (CISA) to issue a warning about the bug, encouraging everyone to update Windows to eliminate this loophole.

If, for whatever reason, you have been deferring Windows updates since March, now is the time to pull the trigger on fixing this potentially very serious bug.

How is Sophos responding to these threats?

Here is a list of protection released by SophosLabs in response to this advisory to complement any existing protection and generic exploit mitigation capabilities in our products.



CVE-2020-1213 Exp/20201213-A SID:2303073
CVE-2020-1214 Exp/20201214-A SID:2303074
CVE-2020-1215 Exp/20201215-A SID:2303075
CVE-2020-1216 Exp/20201216-A SID:36922
CVE-2020-1219 Exp/20201219-A SID:2303076
CVE-2020-1230 Exp/20201230-A SID:46548
CVE-2020-1241 SID:2303078
CVE-2020-1260 SID:2303077
CVE-2020-1284 SID: 2302019


CVE-2020-1301 SID:2303080



How long does it take to have Sophos detection in place?

We aim to add detection to critical issues based on the type and nature of the vulnerabilities as soon as possible. In many cases, existing detections will catch exploit attempts without the need for updates.

What if the vulnerability/0-day you’re looking for is not listed here?

If we haven’t released an update for a specific exploit, the most likely reason is that we did not receive the data that shows how the exploit works in the real world. As many of this month’s exploits were crafted in a lab and have not been seen in the wild, nobody has enough information (yet) about how criminals would, hypothetically, exploit any given vulnerability. If or when we receive information about real attacks, we will create new detections, as needed.

Leave a Reply

Your email address will not be published. Required fields are marked *