Advisory Microsoft Patch Tuesday – May 2020
aeCERT One of Telecommunications Regulatory Authority (TRA) Initiatives P O Box 116688, Dubai, United Arab Emirates (UAE) www.aecert.ae | www.tra.gov.ae
Version: 1.0 Ref: ADV-20-047 Document Date: 13/05/2020
Document Details
Disclaimer
Whilst every effort has been made to ensure the accuracy of the information contained within this report, aeCERT and the TRA bear no liability or responsibility for any recommendations issued or inadvertent damages that could be caused by the recipient of this information.
Accessing third-party links in this advisory will direct you to an external website. Please note that aeCERT bears no responsibility for third-party website traffic. aeCERT will have no liability to the entities for the content or use of the content available through the hyperlinks that are referenced.
Contents
Contents 1
Summary 2
Details 2
Recommendations 8
References 8
1 | P a g e
Summary
As the leading trusted secure cyber coordination center in the region, aeCERT would like to inform you of the latest Microsoft security updates that aim to patch recent vulnerabilities discovered in a number of their products. In order to be protected from security risks, users should apply the patches as soon as the security updates are released.
Details
Microsoft releases security updates on the third Tuesday of every month – a tradition that has been called Patch Tuesday. These security updates affect a number of their products and systems. The security updates released by Microsoft for the Patch Tuesday of May 2020 affect a numerous number of vulnerabilities, which are: • 13 vulnerabilities of Critical severity • 91 vulnerabilities of Important severity • 3 vulnerabilities of Moderate severity • 4 vulnerabilities of Low severity The vulnerabilities can be summarized in the table below, which illustrates a list of the vulnerabilities affected by the security update, as well as the product families impacted by the vulnerabilities, and the CVE numbers.
Product Family CVE Number Vulnerability Impact Severity
.NET Core CVE-2020-1161 ASP.NET Core Denial of Service Vulnerability Important
.NET Core & .NET Framework Denial of Service .NET Core CVE-2020-1108 Important Vulnerability
.NET Framework Elevation of Privilege .NET Framework CVE-2020-1066 Important Vulnerability
Microsoft Active Directory Federation Services Active Directory CVE-2020-1055 Important Cross-Site Scripting Vulnerability
Common Log File System Windows Common Log File System Driver CVE-2020-1154 Important Driver Elevation of Privilege Vulnerability
Internet Explorer CVE-2020-1092 Internet Explorer Memory Corruption Vulnerability Low
MSHTML Engine Remote Code Execution Internet Explorer CVE-2020-1064 Moderate Vulnerability
2 | P a g e
Internet Explorer CVE-2020-1062 Internet Explorer Memory Corruption Vulnerability Moderate
Internet Explorer CVE-2020-1093 VBScript Remote Code Execution Vulnerability Moderate
Microsoft Dynamics 365 (On-Premise) Cross Site Microsoft Dynamics CVE-2020-1063 Important Scripting Vulnerability
Microsoft Edge CVE-2020-1059 Microsoft Edge Spoofing Vulnerability Important
Microsoft Edge CVE-2020-1056 Microsoft Edge Elevation of Privilege Vulnerability Critical
Microsoft Edge PDF Remote Code Execution Microsoft Edge CVE-2020-1096 Important Vulnerability
Microsoft Graphics CVE-2020-1145 Windows GDI Information Disclosure Vulnerability Important Component
Microsoft Graphics Windows Graphics Component Elevation of CVE-2020-1135 Important Component Privilege Vulnerability
Microsoft Graphics CVE-2020-1179 Windows GDI Information Disclosure Vulnerability Important Component
Microsoft Graphics Microsoft Graphics Components Remote Code CVE-2020-1153 Critical Component Execution Vulnerability
Microsoft Graphics CVE-2020-1140 DirectX Elevation of Privilege Vulnerability Important Component
Microsoft Graphics CVE-2020-0963 Windows GDI Information Disclosure Vulnerability Important Component
Microsoft Graphics CVE-2020-1054 Win32k Elevation of Privilege Vulnerability Important Component
Microsoft Graphics CVE-2020-1142 Windows GDI Elevation of Privilege Vulnerability Important Component
Microsoft Graphics Microsoft Color Management Remote Code CVE-2020-1117 Critical Component Execution Vulnerability
Microsoft Graphics CVE-2020-1141 Windows GDI Information Disclosure Vulnerability Important Component
Microsoft JET Database Jet Database Engine Remote Code Execution CVE-2020-1176 Important Engine Vulnerability
Microsoft JET Database Jet Database Engine Remote Code Execution CVE-2020-1051 Important Engine Vulnerability
Microsoft JET Database Jet Database Engine Remote Code Execution CVE-2020-1175 Important Engine Vulnerability
Microsoft JET Database Jet Database Engine Remote Code Execution CVE-2020-1174 Important Engine Vulnerability
Microsoft Excel Remote Code Execution Microsoft Office CVE-2020-0901 Important Vulnerability
3 | P a g e
Microsoft Office Microsoft SharePoint Server Remote Code CVE-2020-1069 Critical SharePoint Execution Vulnerability
Microsoft Office CVE-2020-1100 Microsoft Office SharePoint XSS Vulnerability Important SharePoint
Microsoft Office CVE-2020-1105 Microsoft SharePoint Spoofing Vulnerability Important SharePoint
Microsoft Office Microsoft SharePoint Remote Code Execution CVE-2020-1102 Critical SharePoint Vulnerability
Microsoft Office Microsoft SharePoint Remote Code Execution CVE-2020-1024 Critical SharePoint Vulnerability
Microsoft Office Microsoft SharePoint Remote Code Execution CVE-2020-1023 Critical SharePoint Vulnerability
Microsoft Office CVE-2020-1104 Microsoft SharePoint Spoofing Vulnerability Important SharePoint
Microsoft Office CVE-2020-1101 Microsoft Office SharePoint XSS Vulnerability Important SharePoint
Microsoft Office CVE-2020-1099 Microsoft Office SharePoint XSS Vulnerability Important SharePoint
Microsoft Office Microsoft SharePoint Information Disclosure CVE-2020-1103 Important SharePoint Vulnerability
Microsoft Office CVE-2020-1107 Microsoft SharePoint Spoofing Vulnerability Important SharePoint
Microsoft Office CVE-2020-1106 Microsoft Office SharePoint XSS Vulnerability Important SharePoint
Microsoft Scripting Engine CVE-2020-1060 VBScript Remote Code Execution Vulnerability Low
Microsoft Scripting Engine CVE-2020-1065 Scripting Engine Memory Corruption Vulnerability Critical
Chakra Scripting Engine Memory Corruption Microsoft Scripting Engine CVE-2020-1037 Critical Vulnerability
Microsoft Scripting Engine CVE-2020-1035 VBScript Remote Code Execution Vulnerability Low
Microsoft Scripting Engine CVE-2020-1058 VBScript Remote Code Execution Vulnerability Low
Windows Clipboard Service Elevation of Privilege Microsoft Windows CVE-2020-1111 Important Vulnerability
Windows Background Intelligent Transfer Service Microsoft Windows CVE-2020-1112 Important Elevation of Privilege Vulnerability
Windows Error Reporting Elevation of Privilege Microsoft Windows CVE-2020-1082 Important Vulnerability
Windows Runtime Elevation of Privilege Microsoft Windows CVE-2020-1086 Important Vulnerability
4 | P a g e
Windows Print Spooler Elevation of Privilege Microsoft Windows CVE-2020-1048 Important Vulnerability
Windows Runtime Elevation of Privilege Microsoft Windows CVE-2020-1090 Important Vulnerability
Windows Error Reporting Elevation of Privilege Microsoft Windows CVE-2020-1088 Important Vulnerability
Windows Clipboard Service Elevation of Privilege Microsoft Windows CVE-2020-1166 Important Vulnerability
Windows Error Reporting Elevation of Privilege Microsoft Windows CVE-2020-1021 Important Vulnerability
Windows Runtime Elevation of Privilege Microsoft Windows CVE-2020-1164 Important Vulnerability
Windows Clipboard Service Elevation of Privilege Microsoft Windows CVE-2020-1165 Important Vulnerability
Windows State Repository Service Elevation of Microsoft Windows CVE-2020-1184 Important Privilege Vulnerability
Windows State Repository Service Elevation of Microsoft Windows CVE-2020-1188 Important Privilege Vulnerability
Windows State Repository Service Elevation of Microsoft Windows CVE-2020-1191 Important Privilege Vulnerability
Windows State Repository Service Elevation of Microsoft Windows CVE-2020-1185 Important Privilege Vulnerability
Windows State Repository Service Elevation of Microsoft Windows CVE-2020-1187 Important Privilege Vulnerability
Windows Runtime Elevation of Privilege Microsoft Windows CVE-2020-1125 Important Vulnerability
Windows State Repository Service Elevation of Microsoft Windows CVE-2020-1131 Important Privilege Vulnerability
Windows Clipboard Service Elevation of Privilege Microsoft Windows CVE-2020-1121 Important Vulnerability
Connected User Experiences and Telemetry Service Microsoft Windows CVE-2020-1123 Important Denial of Service Vulnerability
Windows Error Reporting Manager Elevation of Microsoft Windows CVE-2020-1132 Important Privilege Vulnerability
Microsoft Windows Elevation of Privilege Microsoft Windows CVE-2020-1010 Important Vulnerability
Media Foundation Memory Corruption Microsoft Windows CVE-2020-1028 Critical Vulnerability
5 | P a g e
Media Foundation Memory Corruption Microsoft Windows CVE-2020-1136 Critical Vulnerability
Windows Runtime Elevation of Privilege Microsoft Windows CVE-2020-1139 Important Vulnerability
Windows State Repository Service Elevation of Microsoft Windows CVE-2020-1144 Important Privilege Vulnerability
Windows Runtime Elevation of Privilege Microsoft Windows CVE-2020-1149 Important Vulnerability
Microsoft Windows CVE-2020-1076 Windows Denial of Service Vulnerability Important
Microsoft Windows CVE-2020-1143 Win32k Elevation of Privilege Vulnerability Important
Windows Remote Access Common Dialog Microsoft Windows CVE-2020-1071 Important Elevation of Privilege Vulnerability
Windows Runtime Elevation of Privilege Microsoft Windows CVE-2020-1155 Important Vulnerability
Media Foundation Memory Corruption Microsoft Windows CVE-2020-1150 Important Vulnerability
Windows Runtime Elevation of Privilege Microsoft Windows CVE-2020-1151 Important Vulnerability
Windows Storage Service Elevation of Privilege Microsoft Windows CVE-2020-1138 Important Vulnerability
Microsoft Windows Transport Layer Security Microsoft Windows CVE-2020-1118 Important Denial of Service Vulnerability
Windows State Repository Service Elevation of Microsoft Windows CVE-2020-1124 Important Privilege Vulnerability
Connected User Experiences and Telemetry Service Microsoft Windows CVE-2020-1084 Important Denial of Service Vulnerability
Windows CSRSS Information Disclosure Microsoft Windows CVE-2020-1116 Important Vulnerability
Windows Installer Elevation of Privilege Microsoft Windows CVE-2020-1078 Important Vulnerability
Windows Push Notification Service Elevation of Microsoft Windows CVE-2020-1137 Important Privilege Vulnerability
Media Foundation Memory Corruption Microsoft Windows CVE-2020-1126 Critical Vulnerability
Windows State Repository Service Elevation of Microsoft Windows CVE-2020-1134 Important Privilege Vulnerability
Windows Print Spooler Elevation of Privilege Microsoft Windows CVE-2020-1070 Important Vulnerability
6 | P a g e
Microsoft Windows Elevation of Privilege Microsoft Windows CVE-2020-1068 Important Vulnerability
Microsoft Windows CVE-2020-1067 Windows Remote Code Execution Vulnerability Important
Windows Kernel Information Disclosure Microsoft Windows CVE-2020-1072 Important Vulnerability
Windows Printer Service Elevation of Privilege Microsoft Windows CVE-2020-1081 Important Vulnerability
Microsoft Windows Elevation of Privilege Microsoft Windows CVE-2020-1079 Important Vulnerability
Windows Runtime Elevation of Privilege Microsoft Windows CVE-2020-1077 Important Vulnerability
Windows State Repository Service Elevation of Microsoft Windows CVE-2020-1190 Important Privilege Vulnerability
Windows Runtime Elevation of Privilege Microsoft Windows CVE-2020-1158 Important Vulnerability
Windows Runtime Elevation of Privilege Microsoft Windows CVE-2020-1157 Important Vulnerability
Windows State Repository Service Elevation of Microsoft Windows CVE-2020-1186 Important Privilege Vulnerability
Windows Runtime Elevation of Privilege Microsoft Windows CVE-2020-1156 Important Vulnerability
Windows State Repository Service Elevation of Microsoft Windows CVE-2020-1189 Important Privilege Vulnerability
Microsoft Power BI Report Server Spoofing Power BI CVE-2020-1173 Important Vulnerability
Visual Studio Code Python Extension Remote Code Visual Studio CVE-2020-1192 Critical Execution Vulnerability
Visual Studio Code Python Extension Remote Code Visual Studio CVE-2020-1171 Important Execution Vulnerability
Windows Hyper-V CVE-2020-0909 Windows Hyper-V Denial of Service Vulnerability Important
Windows Kernel CVE-2020-1114 Windows Kernel Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2020-1087 Windows Kernel Elevation of Privilege Vulnerability Important
Microsoft Script Runtime Remote Code Execution Windows Scripting CVE-2020-1061 Important Vulnerability
Windows Subsystem for Windows Subsystem for Linux Information CVE-2020-1075 Important Linux Disclosure Vulnerability
Windows Task Scheduler Security Feature Bypass Windows Task Scheduler CVE-2020-1113 Important Vulnerability
7 | P a g e
Windows Update Stack Elevation of Privilege Windows Update Stack CVE-2020-1109 Important Vulnerability
Windows Update Stack Elevation of Privilege Windows Update Stack CVE-2020-1110 Important Vulnerability
Recommendations
To avoid exploitation due to the presence of the vulnerabilities, aeCERT highly recommends to install the latest security updates released by Microsoft for the affected products.
References
Microsoft
8 | P a g e
aeCERT Contact Info
P.O. Box 116688 Dubai, United Arab Emirates
Tel (+971) 4 777 4003 Fax (+971) 4 777 4100 Email incident[at]aeCERT.ae Instagram @TheUAETRA Twitter @TheUAETRA
For secure communications with aeCERT with regards to sensitive or vulnerability information please send your correspondences to incident[at]aeCERT.ae
9 | P a g e