Automox Patch Tuesday Breakdown: June 2020

Welcome to June’s Patch Tuesday breakdown.

This month brings one of the largest Patch Tuesday updates ever released from Microsoft, with patches for 129 vulnerabilities. Of these, 11 are rated critical. While there are no zero-days to contend with this month, the sheer volume of updates is more than enough to keep Windows administrators busy. For June, Adobe and Mozilla Firefox have also released a number of critical security updates for their products.

June’s Patch Tuesday rollout continues the wave of massive security updates we’ve seen over the last few months. Wrangling hundreds of updates across an entire network can be challenging enough, and the shift to remote work has created a new level of difficulty for patch management. Between the struggle of managing remote endpoints and parsing through hundreds of patches, many organizations are finding that their resources are getting stretched too thin. It is not uncommon for vulnerabilities to accumulate, especially on remote devices, and delays in patch deployment can create an unnecessary risk. With the shift to remote work here to stay, many organizations are now looking for modern solutions for patch management and endpoint hardening.

Deploying security updates regularly, and quickly, is a key component of cyber hygiene best practices. See last month’s breakdown for coverage of May’s Patch Tuesday update.

Patch Tuesday Highlights From Microsoft

For June, Microsoft has released 129 new patches, with 11 updates rated critical and 109 rated important. Some of this month’s top critical and important updates include:

This month, Microsoft addressed a number of critical remote code execution vulnerabilities. CVE-2020-1248 is a critically rated vulnerability affecting the way Windows Graphics Device Interface (GDI) handles objects in memory. Attackers can attempt exploitation through web-based or file-sharing attack scenarios. In either case, remote code execution is possible. Microsoft resolves this issue by changing how GDI handles objects in memory.

CVE-2020-1281 is an RCE which exists when Windows OLE fails to properly validate user input. Attackers can attempt to exploit this vulnerability by tricking users into opening a maliciously designed file or program through a web page or email.

CVE-2020-1286 is found when Windows Shell doesn’t properly validate file paths and CVE-2020-1299 is a vulnerability that exists in Windows when a .LNK file is processed. CVE-2020-1300 is another vulnerability found in Windows that exists when cabinet files are handled incorrectly. All are RCE vulnerabilities that can be exploited through the use of malicious files.

CVE-2020-1073 is yet another remote code execution vulnerability that occurs in the way that ChakraCore scripting engine handles objects in memory. For Microsoft Edge users, this means that attackers can potentially use specially crafted websites to trigger memory corruption, run arbitrary code and seize control of the target system. CVE-2020-1219 is a similar vulnerability that also affects Microsoft web browsers. The June update from Microsoft resolves these issues by correcting how objects in memory are handled.

CVE-2020-1206 is an information disclosure vulnerability found in SMBv3 which can affect both clients and servers. Attackers can use specially crafted packets to a targeted SMBv3 server to attempt exploitation against a server. On the client side, attackers could configure a malicious SMBv3 server and convince clients to connect to it. A similarly exploited vulnerability found in SMBv3, CVE-2020-1284, involves denial of service, and with successful exploitation, attackers can try to crash victim systems. Microsoft addresses these issues by changing how SMBv3 handles specially crafted requests.

CVE-2020-1301 is a remote code execution vulnerability found in SMBv1 and is similar to -1206. Attackers can exploit this vulnerability by sending specially crafted packages to an affected server, without needing any user interaction.

More On Updates from Microsoft

CVE-2020-1214, -1215, -1216, -1230 and -1260 are all vulnerabilities related to the VBScript engine and how it handles objects in memory. There are multiple ways in which attackers can attempt to exploit these vulnerabilities. In a web-based attack scenario, attackers can host a maliciously designed website for exploitation and trick users into viewing the webpage. From there, attackers can gain the rights of the current user -- potentially allowing them to view, change or delete data, install new programs, and create new user accounts.

Given how commonly used web browsers are, experts are suggesting that these vulnerabilities should be patched immediately as the likelihood of exploitation is high.

CVE-2020-1241 is a security feature bypass vulnerability, which occurs when Windows Kernel fails to properly sanitize certain parameters. A locally authenticated attacker can attempt to exploit this vulnerability by running a targeted application on a victim system. This month’s update resolves the issue by correcting parameter sanitation in Windows Kernel.

While -1241 only gets a rating of important, anytime there is a vulnerability that can bypass Windows Kernel security features, it should be addressed.

For June, Microsoft also released four patches addressing elevation of privilege vulnerabilities related to Win32k. These include CVE-2020-1207, -1247, -1251, and -1253. These vulnerabilities exist when the Windows kernel-mode drivers fail to handle objects in memory correctly. Attackers can use specially crafted applications to attempt to exploit these vulnerabilities and gain control of the target system. While these vulnerabilities are rated as important, Microsoft itself notes that exploitation may be more likely. Microsoft addresses these issues by correcting how objects in memory are handled.

Other Patch Tuesday Updates

This June, we are also looking at a few security updates from Adobe, Mozilla, and Google Chrome.

Adobe has released a number of security updates for three of its products: Flash Player, Experience Manager, and Framemaker. The update from Adobe includes three critical security updates for Framemaker and one critical update for FlashPlayer; all can lead to arbitrary code execution.

Earlier in June, Mozilla also released updates for Firefox 77, Firefox ESR 68.9, and Thunderbird 68.9. This month, Google also released a security update for Chrome 83.

While Windows may have released a beast of an update this month, third-party vendors are keeping it light, at least for now. However, systems administrators are likely to find this month’s update is a lot for their systems to digest.

The limitations of legacy, on-premise technology are becoming more apparent in the modern workspace. Remote work is here to stay, and that can represent a significant change in what an organization’s attack surface might look like. Managing and securing large numbers of remote devices can be challenging, especially when there are large numbers of patches to deploy. Traditional VPNs are not built for handling large amounts of traffic; this does not bode well for an entire workforce gone remote that now needs hundreds of megabytes of patches.

For organizations of all sizes, developing a patch management strategy that actually yields pre-incursion value, and provides protection before attackers sink their hooks in, is essential. Modern, cloud-native endpoint hardening solutions like Automox can help organizations achieve a higher level of patching confidence and faster patching speeds across all of their endpoints -- no matter where they’re located.

About Automox Automated Patch Management

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, macOS, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.