Microsoft’s scheduled monthly updates are out for May 2020. Fortunately, Microsoft Patch Tuesday update bundle for May includes no zero-day fixes, unlike the previous months. Yet, it does include some critical vulnerabilities that need immediate attention of the system admins.
Some Critical Remote Code Execution Vulnerabilities
Reportedly, Microsoft Patch Tuesday May updates include fixes for around 16 different critical security vulnerabilities. Among these, 15 bugs affecting different components could allow remote code execution attacks.
Of these 15, 3 RCE bugs existed in Microsoft SharePoint (CVE-2020-1023, CVE-2020-1024, and CVE-2020-1102), regarding which, Microsoft’s advisory reads,
A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.
Besides, the other critical RCE vulnerabilities affected the Windows Media Foundation, Microsoft SharePoint Server, Internet Explorer, Microsoft Edge components.
Whereas, the only critical vulnerability that allowed elevation of privileges to an attacker also existed in Microsoft Edge browser. It existed because of the improper implementation of cross-domain policies by the browser. Exploiting the bug could allow an attacker to inject the contents of one domain to another.
Regarding this bug, CVE-2020-1056, the advisory reads,
In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit the vulnerability. However, in all cases an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action. For example, an attacker could trick users into clicking a link that takes them to the attacker’s site. An attacker who successfully exploited this vulnerability could elevate privileges in affected versions of Microsoft Edge.
Important Updates In Microsoft Patch Tuesday May
Apart from the 16 critical bugs, Microsoft addressed 95 different important severity vulnerabilities as well. The components receiving these bug fixes include Windows Task Scheduler, Windows Update Stack, Windows State Repository Service, Windows Runtime, Windows Kernel, DirectX, and other core components.
However, this month’s fixes do not include patches for any low severity bugs. Nor does it include any zero-day fixes.
So, the admins can patch the system without a rush. Yet, they must ensure updating the systems at the earliest to stay safe.