May Patch Tuesday 2020 fixes 111 vulnerabilities

As IT administrators do their best to cope with business continuity plans, it’s imperative to understand and manage patch updates. With cybersecurity threats on the rise thanks to the pandemic making its rounds, understanding the Patch Tuesday releases and finding ways to deploy them to remote endpoints efficiently is essential. Microsoft has released fixes for a total of 111 vulnerabilities, among which 13 are classified as Critical, and 91 as Important. Also, it’s been reported that there are no zero-day or unpatched vulnerabilities this month.

A lineup of the significant updates released

Microsoft security updates have been released for:

•  Microsoft Windows
•  Microsoft Edge (EdgeHTML-based)
•  Microsoft Edge (Chromium-based)
•  ChakraCore
• Internet Explorer
• Microsoft Office and Microsoft Office services and Web Apps
• Windows Defender
• Visual Studio
• Microsoft Dynamics
• .NET Framework
• .NET Core
• Power BI

Noteworthy updates

Three Critical vulnerabilities in Microsoft Edge that could potentially allow remote code execution have been fixed this Patch Tuesday.

• CVE-2020-1056 – Microsoft Edge Elevation of Privilege Vulnerability

• CVE-2020-1059 – Microsoft Edge Spoofing Vulnerability

• CVE-2020-1096 – Microsoft Edge PDF Remote Code Execution Vulnerability

Also, another potential remote code execution vulnerability in the Microsoft Color Management Module (ICM32.dll) has been fixed.

• CVE-2020-1117 | Microsoft Color Management Remote Code Execution Vulnerability

 

Shedding some light on this month’s highlights

Vulnerabilities in the Windows graphic components

A total of 10 critical vulnerabilities in the core Windows graphic components  that could lead to local elevation of privilege attacks have been fixed. However, in order to exploit these vulnerabilities, one must get their hands on the access to execute codes in the Windows graphical session.

Listed below are the vulnerabilities:

CVE-2020-1054

CVE-2020-1143

CVE-2020-0915

CVE-2020-0916

CVE-2020-0963

CVE-2020-1141

CVE-2020-1142

CVE-2020-1145

CVE-2020-1135

CVE-2020-1153  

Fixes for the memory corruption vulnerabilities in web browser components

Components like ChakraCore and the JavaScript engine have been affected by multiple memory corruption vulnerabilities. On successful exploitation, an attacker will be able to execute arbitrary codes remotely. Below you can find a lineup for this category of vulnerabilities:

CVE-2020-1037

CVE-2020-1056

CVE-2020-1059

CVE-2020-1096

CVE-2020-1062

CVE-2020-1092

CVE-2020-1093  

Vulnerabilities in other Windows services

Microsoft has released patch fixes for vulnerabilities in Windows services like Connected User Experiences and Telemetry, Background Intelligent Transfer Service (BITS), Push Notification Services, and Print and Document Services, among others. Find the list of CVE IDs below: 

CVE-2020-1084

CVE-2020-1123

CVE-2020-1137

CVE-2020-1081

Other notable mentions

• Coinciding with this month’s Patch Tuesday, Adobe has fixed 36 vulnerabilities, including 16 critical flaws in Acrobat, Reader, and its DNG Software Development Kit.
• The servicing stack advisory has been updated for this Patch Tuesday. Read the advisory document to install the latest servicing stack updates available.

Sign up for ManageEngine’s free webinar on Patch Tuesday updates to get a complete break down of the security, non-security, and other third-party updates released for this Patch Tuesday. 

Keep reading for a few best practices that are ideal in a remote patch management scenario:

• Prioritize security updates over non-security and optional updates.

• Directly download patches to endpoints, rather than downloading them in your server and distributing them to remote locations.

• Schedule automation tasks specifically for deploying critical patches for timely updates.

• Plan to set broad deployment windows so that critical updates are not missed due to unavoidable hindrances.

• Allow end users to be able to skip deployments to avoid a disturbance in productivity.

• Ensure the machines under your scope do not run any end-of-life OS or applications.

• Always test the patch updates before deploying them to the endpoints.

• Ensure you use a secure gateway server to establish a safe connection between your remote endpoints.

Get an idea on how you can implement these best practices with ease using Patch Manager Plus or Desktop Central. Register for our free Patch Tuesday webinar, and observe the-real time execution of these practices. Also, get insights on trending cybersecurity incidents, and clarify all your questions with our product specialists.

Sign up now!

Happy patching and stay safe!