On the positive side, despite being the largest Patch Tuesday in the history of the company, it doesn’t include fixes for zero-day bugs, meaning that none of the vulnerabilities were exploited in the wild.
11 Critical Flaws Addressed in June 2020 Patch Tuesday
June 2020 Patch Tuesday includes fixes for LNK, SMB, SharePoint, and Win32k vulnerabilities, of which only 11 were rated critical. One of the LNK-related flaws is CVE-2020-1299. The flaw can be exploited by having the affected system process a malicious .LNK file, which can be done with the help of a remote drive or remote share.
CVE-2020-1219 is another example of the critical vulnerabilities patched in June 2020 Patch Tuesday. This critical issue is a browser memory corruption flaw existing in the way Microsoft browsers access objects in memory. Exploitation is possible via a specially crafted website designed to leverage the bug, leading to gaining control of the targeted system.
Three SMB vulnerabilities were also addressed: CVE-2020-1301, CVE-2020-1206, and CVE-2020-1321.
According to Airbus security researchers, CVE-2020-1301, also known as “SMBLost”, is not as harmful as “SMBGhost” or “Eternal Blue” exploits, as it requires two significant prerequisites:
1. The need to have user credentials to connect to a remote share folder;
2. A partition must be shared on the server such as “c:\”, “d:\” and so on. However, even if such a configuration is sometimes done to serve specific requirements, the Airbus team is not completely sure that is the only way to reach the vulnerability.
The two other SMB vulnerabilities are related to SMBv3. CVE-2020-1206 is an information disclosure vulnerability, whereas CVE-2020-1321 is related to remote code execution.
June 2020 Patch Tuesday: RCE Bugs
The list of remote code execution flaws also includes CVE-2020-1181 in Microsoft SharePoint, CVE-2020-1225, CVE-2020-1226 in Microsoft Excel, CVE-2020-1223 in Word for Android, CVE-2020-1248 in the Windows Graphics Device Interface (GDI), CVE-2020-1281 in Windows OLE, CVE-2020-1300 in the Windows OS print spooler component.
Windows VBScript scripting engine was also patched against several RCE bugs, including CVE-2020-1213, CVE-2020-1214, CVE-2020-1215, CVE-2020-1216, CVE-2020-1230, CVE-2020-1260.
Bugs in Microsoft Office and Microsoft Excel
Several vulnerabilities were also addressed in Microsoft Office and Excel. Two separate Excel flaws, CVE-2020-1225 and CVE-2020-1226, could be exploited to remotely take over a computer by tricking the user into opening a malicious document. CVE-2020-1229 which resides in most versions of Microsoft Office may be exploited to bypass security features in the application simply by previewing a malicious document in the preview pane. Office for Mac is also impacted by this vulnerability, with a patch for it yet to be made available.
In a separate security advisory this month, Microsoft also addressed a .NET core system issue, known under CVE-2020-1108. This was a critical problem that resulted in the ability to conduct Denial of Service (DoS) attacks which can be used to sabotage computer networks.