Microsoft May 2020 Patch Tuesday
This month we got an average Patch Tuesday with patches for 111 vulnerabilities total. Sixteen of them are critical and, according to Microsoft, none of them was previously disclosed or are being exploited.
Amongst critical vulnerabilities, there is a remote code execution (RCE) on Media Foundation caused by a memory corruption vulnerability (CVE-2020-1126). To exploit the vulnerability, an attacker has to convince the victim to open a specially crafted document or access a malicious webpage. It affects Windows 10, Windows Server 2016, and 2019.
Another RCE critical vulnerability, with an exploitability index rated as “more likely”, affects Microsoft Graphics Components (CVE-2020-1153). It affects most of the supported Windows versions – from Windows 7 to Windows Server 2019.
The highest CVSS v3 score this month (8.80) was given to CVE-2020-1126 – the one that affects Media Foundation (mentioned above).
See Renato's dashboard for a more detailed breakout: https://patchtuesdaydashboard.com
Description | |||||||
---|---|---|---|---|---|---|---|
CVE | Disclosed | Exploited | Exploitability (old versions) | current version | Severity | CVSS Base (AVG) | CVSS Temporal (AVG) |
.NET Core & .NET Framework Denial of Service Vulnerability | |||||||
CVE-2020-1108 | No | No | Less Likely | Less Likely | Important | ||
.NET Framework Elevation of Privilege Vulnerability | |||||||
CVE-2020-1066 | No | No | Less Likely | Less Likely | Important | ||
ASP.NET Core Denial of Service Vulnerability | |||||||
CVE-2020-1161 | No | No | Less Likely | Less Likely | Important | ||
Chakra Scripting Engine Memory Corruption Vulnerability | |||||||
CVE-2020-1037 | No | No | Less Likely | Less Likely | Critical | 4.2 | 3.8 |
Connected User Experiences and Telemetry Service Denial of Service Vulnerability | |||||||
CVE-2020-1084 | No | No | Less Likely | Less Likely | Important | 5.5 | 5.0 |
CVE-2020-1123 | No | No | Less Likely | Less Likely | Important | 5.5 | 5.0 |
DirectX Elevation of Privilege Vulnerability | |||||||
CVE-2020-1140 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
Internet Explorer Memory Corruption Vulnerability | |||||||
CVE-2020-1062 | No | No | More Likely | More Likely | Critical | 6.4 | 5.8 |
CVE-2020-1092 | No | No | Less Likely | Less Likely | Important | 6.4 | 5.8 |
Jet Database Engine Remote Code Execution Vulnerability | |||||||
CVE-2020-1175 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
CVE-2020-1051 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
CVE-2020-1174 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
CVE-2020-1176 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
MSHTML Engine Remote Code Execution Vulnerability | |||||||
CVE-2020-1064 | No | No | Less Likely | Less Likely | Critical | 6.4 | 5.8 |
Media Foundation Memory Corruption Vulnerability | |||||||
CVE-2020-1028 | No | No | Less Likely | Less Likely | Critical | 7.8 | 7.0 |
CVE-2020-1126 | No | No | Less Likely | Less Likely | Critical | 8.8 | 7.9 |
CVE-2020-1150 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
CVE-2020-1136 | No | No | Less Likely | Less Likely | Critical | 7.8 | 7.0 |
Microsoft Active Directory Federation Services Cross-Site Scripting Vulnerability | |||||||
CVE-2020-1055 | No | No | Less Likely | Less Likely | Important | ||
Microsoft Color Management Remote Code Execution Vulnerability | |||||||
CVE-2020-1117 | No | No | Less Likely | Less Likely | Critical | 8.8 | 7.9 |
Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability | |||||||
CVE-2020-1063 | No | No | Less Likely | Less Likely | Important | ||
Microsoft Edge Elevation of Privilege Vulnerability | |||||||
CVE-2020-1056 | No | No | Less Likely | Less Likely | Critical | 5.4 | 4.9 |
Microsoft Edge PDF Remote Code Execution Vulnerability | |||||||
CVE-2020-1096 | No | No | Less Likely | Less Likely | Important | 4.2 | 3.8 |
Microsoft Edge Spoofing Vulnerability | |||||||
CVE-2020-1059 | No | No | Less Likely | Less Likely | Important | 4.3 | 3.9 |
Microsoft Excel Remote Code Execution Vulnerability | |||||||
CVE-2020-0901 | No | No | Less Likely | Less Likely | Important | ||
Microsoft Graphics Components Remote Code Execution Vulnerability | |||||||
CVE-2020-1153 | No | No | More Likely | Less Likely | Critical | 7.8 | 7.0 |
Microsoft Office SharePoint XSS Vulnerability | |||||||
CVE-2020-1099 | No | No | Less Likely | Less Likely | Important | ||
CVE-2020-1101 | No | No | Less Likely | Less Likely | Important | ||
CVE-2020-1100 | No | No | Less Likely | Less Likely | Important | ||
CVE-2020-1106 | No | No | Less Likely | Less Likely | Important | ||
Microsoft Power BI Report Server Spoofing Vulnerability | |||||||
CVE-2020-1173 | No | No | Less Likely | Less Likely | Important | ||
Microsoft Script Runtime Remote Code Execution Vulnerability | |||||||
CVE-2020-1061 | No | No | Less Likely | Less Likely | Important | 6.4 | 5.8 |
Microsoft SharePoint Information Disclosure Vulnerability | |||||||
CVE-2020-1103 | No | No | Less Likely | Less Likely | Important | ||
Microsoft SharePoint Remote Code Execution Vulnerability | |||||||
CVE-2020-1023 | No | No | Less Likely | Less Likely | Critical | ||
CVE-2020-1024 | No | No | Less Likely | Less Likely | Critical | ||
CVE-2020-1102 | No | No | Less Likely | Less Likely | Critical | ||
Microsoft SharePoint Server Remote Code Execution Vulnerability | |||||||
CVE-2020-1069 | No | No | Less Likely | Less Likely | Critical | ||
Microsoft SharePoint Spoofing Vulnerability | |||||||
CVE-2020-1107 | No | No | Less Likely | Less Likely | Important | ||
CVE-2020-1104 | No | No | Less Likely | Less Likely | Important | ||
CVE-2020-1105 | No | No | Less Likely | Less Likely | Important | ||
Microsoft Windows Elevation of Privilege Vulnerability | |||||||
CVE-2020-1010 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
CVE-2020-1068 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
CVE-2020-1079 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
Microsoft Windows Transport Layer Security Denial of Service Vulnerability | |||||||
CVE-2020-1118 | No | No | Less Likely | Less Likely | Important | 8.6 | 7.7 |
Scripting Engine Memory Corruption Vulnerability | |||||||
CVE-2020-1065 | No | No | Less Likely | Less Likely | Critical | 4.2 | 3.8 |
VBScript Remote Code Execution Vulnerability | |||||||
CVE-2020-1035 | No | No | More Likely | More Likely | Important | 6.4 | 5.8 |
CVE-2020-1058 | No | No | More Likely | More Likely | Important | 6.4 | 5.8 |
CVE-2020-1060 | No | No | More Likely | More Likely | Important | 6.4 | 5.8 |
CVE-2020-1093 | No | No | Less Likely | Less Likely | Critical | 6.4 | 5.8 |
Visual Studio Code Python Extension Remote Code Execution Vulnerability | |||||||
CVE-2020-1192 | No | No | Less Likely | Less Likely | Critical | ||
CVE-2020-1171 | No | No | Less Likely | Less Likely | Important | ||
Win32k Elevation of Privilege Vulnerability | |||||||
CVE-2020-1054 | No | No | More Likely | More Likely | Important | 7.0 | 6.3 |
CVE-2020-1143 | No | No | More Likely | More Likely | Important | 7.0 | 6.3 |
Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability | |||||||
CVE-2020-1112 | No | No | Less Likely | Less Likely | Important | 8.5 | 7.6 |
Windows CSRSS Information Disclosure Vulnerability | |||||||
CVE-2020-1116 | No | No | Less Likely | Less Likely | Important | 5.5 | 5.0 |
Windows Clipboard Service Elevation of Privilege Vulnerability | |||||||
CVE-2020-1111 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
CVE-2020-1121 | No | No | Less Likely | Less Likely | Important | 7.0 | 6.3 |
CVE-2020-1165 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
CVE-2020-1166 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
Windows Common Log File System Driver Elevation of Privilege Vulnerability | |||||||
CVE-2020-1154 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
Windows Denial of Service Vulnerability | |||||||
CVE-2020-1076 | No | No | Less Likely | Less Likely | Important | 5.5 | 5.0 |
Windows Error Reporting Elevation of Privilege Vulnerability | |||||||
CVE-2020-1021 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
CVE-2020-1082 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
CVE-2020-1088 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
Windows Error Reporting Manager Elevation of Privilege Vulnerability | |||||||
CVE-2020-1132 | No | No | Less Likely | Less Likely | Important | 7.0 | 6.3 |
Windows GDI Elevation of Privilege Vulnerability | |||||||
CVE-2020-1142 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
Windows GDI Information Disclosure Vulnerability | |||||||
CVE-2020-0963 | No | No | Less Likely | Less Likely | Important | 5.5 | 5.0 |
CVE-2020-1179 | No | No | Less Likely | Less Likely | Important | ||
CVE-2020-1141 | No | No | Less Likely | Less Likely | Important | 5.5 | 5.0 |
CVE-2020-1145 | No | No | Less Likely | Less Likely | Important | 5.5 | 5.0 |
Windows Graphics Component Elevation of Privilege Vulnerability | |||||||
CVE-2020-1135 | No | No | More Likely | More Likely | Important | 7.8 | 7.0 |
Windows Hyper-V Denial of Service Vulnerability | |||||||
CVE-2020-0909 | No | No | Less Likely | Less Likely | Important | 7.5 | 6.7 |
Windows Installer Elevation of Privilege Vulnerability | |||||||
CVE-2020-1078 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
Windows Kernel Elevation of Privilege Vulnerability | |||||||
CVE-2020-1114 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
CVE-2020-1087 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
Windows Kernel Information Disclosure Vulnerability | |||||||
CVE-2020-1072 | No | No | Less Likely | Less Likely | Important | 5.5 | 5.0 |
Windows Print Spooler Elevation of Privilege Vulnerability | |||||||
CVE-2020-1048 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
CVE-2020-1070 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
Windows Printer Service Elevation of Privilege Vulnerability | |||||||
CVE-2020-1081 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
Windows Push Notification Service Elevation of Privilege Vulnerability | |||||||
CVE-2020-1137 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
Windows Remote Access Common Dialog Elevation of Privilege Vulnerability | |||||||
CVE-2020-1071 | No | No | Less Likely | Less Likely | Important | 6.8 | 6.1 |
Windows Remote Code Execution Vulnerability | |||||||
CVE-2020-1067 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
Windows Runtime Elevation of Privilege Vulnerability | |||||||
CVE-2020-1149 | No | No | Less Likely | Less Likely | Important | 7.0 | 6.3 |
CVE-2020-1151 | No | No | Less Likely | Less Likely | Important | 7.0 | 6.3 |
CVE-2020-1155 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
CVE-2020-1156 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
CVE-2020-1157 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
CVE-2020-1158 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
CVE-2020-1077 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
CVE-2020-1086 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
CVE-2020-1090 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
CVE-2020-1125 | No | No | Less Likely | Less Likely | Important | 7.0 | 6.3 |
CVE-2020-1139 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
CVE-2020-1164 | No | No | Less Likely | Less Likely | Important | 7.0 | 6.3 |
Windows State Repository Service Elevation of Privilege Vulnerability | |||||||
CVE-2020-1124 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
CVE-2020-1134 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
CVE-2020-1144 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
CVE-2020-1186 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
CVE-2020-1189 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
CVE-2020-1190 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
CVE-2020-1131 | No | No | Less Likely | Less Likely | Important | 5.5 | 5.0 |
CVE-2020-1184 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
CVE-2020-1185 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
CVE-2020-1187 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
CVE-2020-1188 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
CVE-2020-1191 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
Windows Storage Service Elevation of Privilege Vulnerability | |||||||
CVE-2020-1138 | No | No | Less Likely | Less Likely | Important | 7.0 | 6.3 |
Windows Subsystem for Linux Information Disclosure Vulnerability | |||||||
CVE-2020-1075 | No | No | Less Likely | Less Likely | Important | 5.5 | 5.0 |
Windows Task Scheduler Security Feature Bypass Vulnerability | |||||||
CVE-2020-1113 | No | No | Less Likely | Less Likely | Important | 5.3 | 4.8 |
Windows Update Stack Elevation of Privilege Vulnerability | |||||||
CVE-2020-1110 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
CVE-2020-1109 | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
--
Renato Marinho
Morphus Labs| LinkedIn|Twitter
Comments