Advisory Microsoft Patch Tuesday – May 2020

Home , Chakra (JScript engine), Common Log File System, Windows Runtime

aeCERT One of Telecommunications Regulatory Authority (TRA) Initiatives P O Box 116688, Dubai, United Arab Emirates (UAE) www.aecert.ae | www.tra.gov.ae

Version: 1.0 Ref: ADV-20-047 Document Date: 13/05/2020

Document Details

Disclaimer

Whilst every effort has been made to ensure the accuracy of the information contained within this report, aeCERT and the TRA bear no liability or responsibility for any recommendations issued or inadvertent damages that could be caused by the recipient of this information.

Accessing third-party links in this advisory will direct you to an external website. Please note that aeCERT bears no responsibility for third-party website traffic. aeCERT will have no liability to the entities for the content or use of the content available through the hyperlinks that are referenced.

Contents

Contents 1

Summary 2

Details 2

Recommendations 8

References 8

1 | P a g e

Summary

As the leading trusted secure cyber coordination center in the region, aeCERT would like to inform you of the latest Microsoft security updates that aim to patch recent vulnerabilities discovered in a number of their products. In order to be protected from security risks, users should apply the patches as soon as the security updates are released.

Details

Microsoft releases security updates on the third Tuesday of every month – a tradition that has been called Patch Tuesday. These security updates affect a number of their products and systems. The security updates released by Microsoft for the Patch Tuesday of May 2020 affect a numerous number of vulnerabilities, which are: • 13 vulnerabilities of Critical severity • 91 vulnerabilities of Important severity • 3 vulnerabilities of Moderate severity • 4 vulnerabilities of Low severity The vulnerabilities can be summarized in the table below, which illustrates a list of the vulnerabilities affected by the security update, as well as the product families impacted by the vulnerabilities, and the CVE numbers.

Product Family CVE Number Vulnerability Impact Severity

.NET Core CVE-2020-1161 ASP.NET Core Denial of Service Vulnerability Important

.NET Core & .NET Framework Denial of Service .NET Core CVE-2020-1108 Important Vulnerability

.NET Framework Elevation of Privilege .NET Framework CVE-2020-1066 Important Vulnerability

Microsoft Active Directory Federation Services Active Directory CVE-2020-1055 Important Cross-Site Scripting Vulnerability

Common Log File System Windows Common Log File System Driver CVE-2020-1154 Important Driver Elevation of Privilege Vulnerability

Internet Explorer CVE-2020-1092 Internet Explorer Memory Corruption Vulnerability Low

MSHTML Engine Remote Code Execution Internet Explorer CVE-2020-1064 Moderate Vulnerability

2 | P a g e

Internet Explorer CVE-2020-1062 Internet Explorer Memory Corruption Vulnerability Moderate

Internet Explorer CVE-2020-1093 VBScript Remote Code Execution Vulnerability Moderate

Microsoft Dynamics 365 (On-Premise) Cross Site Microsoft Dynamics CVE-2020-1063 Important Scripting Vulnerability

Microsoft Edge CVE-2020-1059 Microsoft Edge Spoofing Vulnerability Important

Microsoft Edge CVE-2020-1056 Microsoft Edge Elevation of Privilege Vulnerability Critical

Microsoft Edge PDF Remote Code Execution Microsoft Edge CVE-2020-1096 Important Vulnerability

Microsoft Graphics CVE-2020-1145 Windows GDI Information Disclosure Vulnerability Important Component

Microsoft Graphics Windows Graphics Component Elevation of CVE-2020-1135 Important Component Privilege Vulnerability

Microsoft Graphics CVE-2020-1179 Windows GDI Information Disclosure Vulnerability Important Component

Microsoft Graphics Microsoft Graphics Components Remote Code CVE-2020-1153 Critical Component Execution Vulnerability

Microsoft Graphics CVE-2020-1140 DirectX Elevation of Privilege Vulnerability Important Component

Microsoft Graphics CVE-2020-0963 Windows GDI Information Disclosure Vulnerability Important Component

Microsoft Graphics CVE-2020-1054 Win32k Elevation of Privilege Vulnerability Important Component

Microsoft Graphics CVE-2020-1142 Windows GDI Elevation of Privilege Vulnerability Important Component

Microsoft Graphics Microsoft Color Management Remote Code CVE-2020-1117 Critical Component Execution Vulnerability

Microsoft Graphics CVE-2020-1141 Windows GDI Information Disclosure Vulnerability Important Component

Microsoft JET Database Jet Database Engine Remote Code Execution CVE-2020-1176 Important Engine Vulnerability

Microsoft JET Database Jet Database Engine Remote Code Execution CVE-2020-1051 Important Engine Vulnerability

Microsoft JET Database Jet Database Engine Remote Code Execution CVE-2020-1175 Important Engine Vulnerability

Microsoft JET Database Jet Database Engine Remote Code Execution CVE-2020-1174 Important Engine Vulnerability

Microsoft Excel Remote Code Execution Microsoft Office CVE-2020-0901 Important Vulnerability

3 | P a g e

Microsoft Office Microsoft SharePoint Server Remote Code CVE-2020-1069 Critical SharePoint Execution Vulnerability

Microsoft Office CVE-2020-1100 Microsoft Office SharePoint XSS Vulnerability Important SharePoint

Microsoft Office CVE-2020-1105 Microsoft SharePoint Spoofing Vulnerability Important SharePoint

Microsoft Office Microsoft SharePoint Remote Code Execution CVE-2020-1102 Critical SharePoint Vulnerability

Microsoft Office Microsoft SharePoint Remote Code Execution CVE-2020-1024 Critical SharePoint Vulnerability

Microsoft Office Microsoft SharePoint Remote Code Execution CVE-2020-1023 Critical SharePoint Vulnerability

Microsoft Office CVE-2020-1104 Microsoft SharePoint Spoofing Vulnerability Important SharePoint

Microsoft Office CVE-2020-1101 Microsoft Office SharePoint XSS Vulnerability Important SharePoint

Microsoft Office CVE-2020-1099 Microsoft Office SharePoint XSS Vulnerability Important SharePoint

Microsoft Office Microsoft SharePoint Information Disclosure CVE-2020-1103 Important SharePoint Vulnerability

Microsoft Office CVE-2020-1107 Microsoft SharePoint Spoofing Vulnerability Important SharePoint

Microsoft Office CVE-2020-1106 Microsoft Office SharePoint XSS Vulnerability Important SharePoint

Microsoft Scripting Engine CVE-2020-1060 VBScript Remote Code Execution Vulnerability Low

Microsoft Scripting Engine CVE-2020-1065 Scripting Engine Memory Corruption Vulnerability Critical

Chakra Scripting Engine Memory Corruption Microsoft Scripting Engine CVE-2020-1037 Critical Vulnerability

Microsoft Scripting Engine CVE-2020-1035 VBScript Remote Code Execution Vulnerability Low

Microsoft Scripting Engine CVE-2020-1058 VBScript Remote Code Execution Vulnerability Low

Windows Clipboard Service Elevation of Privilege Microsoft Windows CVE-2020-1111 Important Vulnerability

Windows Background Intelligent Transfer Service Microsoft Windows CVE-2020-1112 Important Elevation of Privilege Vulnerability

Windows Error Reporting Elevation of Privilege Microsoft Windows CVE-2020-1082 Important Vulnerability

Windows Runtime Elevation of Privilege Microsoft Windows CVE-2020-1086 Important Vulnerability

4 | P a g e

Windows Print Spooler Elevation of Privilege Microsoft Windows CVE-2020-1048 Important Vulnerability

Windows Runtime Elevation of Privilege Microsoft Windows CVE-2020-1090 Important Vulnerability

Windows Error Reporting Elevation of Privilege Microsoft Windows CVE-2020-1088 Important Vulnerability

Windows Clipboard Service Elevation of Privilege Microsoft Windows CVE-2020-1166 Important Vulnerability

Windows Error Reporting Elevation of Privilege Microsoft Windows CVE-2020-1021 Important Vulnerability

Windows Runtime Elevation of Privilege Microsoft Windows CVE-2020-1164 Important Vulnerability

Windows Clipboard Service Elevation of Privilege Microsoft Windows CVE-2020-1165 Important Vulnerability

Windows State Repository Service Elevation of Microsoft Windows CVE-2020-1184 Important Privilege Vulnerability

Windows State Repository Service Elevation of Microsoft Windows CVE-2020-1188 Important Privilege Vulnerability

Windows State Repository Service Elevation of Microsoft Windows CVE-2020-1191 Important Privilege Vulnerability

Windows State Repository Service Elevation of Microsoft Windows CVE-2020-1185 Important Privilege Vulnerability

Windows State Repository Service Elevation of Microsoft Windows CVE-2020-1187 Important Privilege Vulnerability

Windows Runtime Elevation of Privilege Microsoft Windows CVE-2020-1125 Important Vulnerability

Windows State Repository Service Elevation of Microsoft Windows CVE-2020-1131 Important Privilege Vulnerability

Windows Clipboard Service Elevation of Privilege Microsoft Windows CVE-2020-1121 Important Vulnerability

Connected User Experiences and Telemetry Service Microsoft Windows CVE-2020-1123 Important Denial of Service Vulnerability

Windows Error Reporting Manager Elevation of Microsoft Windows CVE-2020-1132 Important Privilege Vulnerability

Microsoft Windows Elevation of Privilege Microsoft Windows CVE-2020-1010 Important Vulnerability

Media Foundation Memory Corruption Microsoft Windows CVE-2020-1028 Critical Vulnerability

5 | P a g e

Media Foundation Memory Corruption Microsoft Windows CVE-2020-1136 Critical Vulnerability

Windows Runtime Elevation of Privilege Microsoft Windows CVE-2020-1139 Important Vulnerability

Windows State Repository Service Elevation of Microsoft Windows CVE-2020-1144 Important Privilege Vulnerability

Windows Runtime Elevation of Privilege Microsoft Windows CVE-2020-1149 Important Vulnerability

Microsoft Windows CVE-2020-1076 Windows Denial of Service Vulnerability Important

Microsoft Windows CVE-2020-1143 Win32k Elevation of Privilege Vulnerability Important

Windows Remote Access Common Dialog Microsoft Windows CVE-2020-1071 Important Elevation of Privilege Vulnerability

Windows Runtime Elevation of Privilege Microsoft Windows CVE-2020-1155 Important Vulnerability

Media Foundation Memory Corruption Microsoft Windows CVE-2020-1150 Important Vulnerability

Windows Runtime Elevation of Privilege Microsoft Windows CVE-2020-1151 Important Vulnerability

Windows Storage Service Elevation of Privilege Microsoft Windows CVE-2020-1138 Important Vulnerability

Microsoft Windows Transport Layer Security Microsoft Windows CVE-2020-1118 Important Denial of Service Vulnerability

Windows State Repository Service Elevation of Microsoft Windows CVE-2020-1124 Important Privilege Vulnerability

Connected User Experiences and Telemetry Service Microsoft Windows CVE-2020-1084 Important Denial of Service Vulnerability

Windows CSRSS Information Disclosure Microsoft Windows CVE-2020-1116 Important Vulnerability

Windows Installer Elevation of Privilege Microsoft Windows CVE-2020-1078 Important Vulnerability

Windows Push Notification Service Elevation of Microsoft Windows CVE-2020-1137 Important Privilege Vulnerability

Media Foundation Memory Corruption Microsoft Windows CVE-2020-1126 Critical Vulnerability

Windows State Repository Service Elevation of Microsoft Windows CVE-2020-1134 Important Privilege Vulnerability

Windows Print Spooler Elevation of Privilege Microsoft Windows CVE-2020-1070 Important Vulnerability

6 | P a g e

Microsoft Windows Elevation of Privilege Microsoft Windows CVE-2020-1068 Important Vulnerability

Microsoft Windows CVE-2020-1067 Windows Remote Code Execution Vulnerability Important

Windows Kernel Information Disclosure Microsoft Windows CVE-2020-1072 Important Vulnerability

Windows Printer Service Elevation of Privilege Microsoft Windows CVE-2020-1081 Important Vulnerability

Microsoft Windows Elevation of Privilege Microsoft Windows CVE-2020-1079 Important Vulnerability

Windows Runtime Elevation of Privilege Microsoft Windows CVE-2020-1077 Important Vulnerability

Windows State Repository Service Elevation of Microsoft Windows CVE-2020-1190 Important Privilege Vulnerability

Windows Runtime Elevation of Privilege Microsoft Windows CVE-2020-1158 Important Vulnerability

Windows Runtime Elevation of Privilege Microsoft Windows CVE-2020-1157 Important Vulnerability

Windows State Repository Service Elevation of Microsoft Windows CVE-2020-1186 Important Privilege Vulnerability

Windows Runtime Elevation of Privilege Microsoft Windows CVE-2020-1156 Important Vulnerability

Windows State Repository Service Elevation of Microsoft Windows CVE-2020-1189 Important Privilege Vulnerability

Microsoft Power BI Report Server Spoofing Power BI CVE-2020-1173 Important Vulnerability

Visual Studio Code Python Extension Remote Code Visual Studio CVE-2020-1192 Critical Execution Vulnerability

Visual Studio Code Python Extension Remote Code Visual Studio CVE-2020-1171 Important Execution Vulnerability

Windows Hyper-V CVE-2020-0909 Windows Hyper-V Denial of Service Vulnerability Important

Windows Kernel CVE-2020-1114 Windows Kernel Elevation of Privilege Vulnerability Important

Windows Kernel CVE-2020-1087 Windows Kernel Elevation of Privilege Vulnerability Important

Microsoft Script Runtime Remote Code Execution Windows Scripting CVE-2020-1061 Important Vulnerability

Windows Subsystem for Windows Subsystem for Linux Information CVE-2020-1075 Important Linux Disclosure Vulnerability

Windows Task Scheduler Security Feature Bypass Windows Task Scheduler CVE-2020-1113 Important Vulnerability

7 | P a g e

Windows Update Stack Elevation of Privilege Windows Update Stack CVE-2020-1109 Important Vulnerability

Windows Update Stack Elevation of Privilege Windows Update Stack CVE-2020-1110 Important Vulnerability

Recommendations

To avoid exploitation due to the presence of the vulnerabilities, aeCERT highly recommends to install the latest security updates released by Microsoft for the affected products.

References

Microsoft

8 | P a g e

aeCERT Contact Info

P.O. Box 116688 Dubai, United Arab Emirates

Tel (+971) 4 777 4003 Fax (+971) 4 777 4100 Email incident[at]aeCERT.ae Instagram @TheUAETRA Twitter @TheUAETRA

For secure communications with aeCERT with regards to sensitive or vulnerability information please send your correspondences to incident[at]aeCERT.ae

9 | P a g e