Advisory Microsoft Patch Tuesday – May 2020 aeCERT One of Telecommunications Regulatory Authority (TRA) Initiatives P O Box 116688, Dubai, United Arab Emirates (UAE) www.aecert.ae | www.tra.gov.ae Version: 1.0 Ref: ADV-20-047 Document Date: 13/05/2020 Document Details Disclaimer Whilst every effort has been made to ensure the accuracy of the information contained within this report, aeCERT and the TRA bear no liability or responsibility for any recommendations issued or inadvertent damages that could be caused by the recipient of this information. Accessing third-party links in this advisory will direct you to an external website. Please note that aeCERT bears no responsibility for third-party website traffic. aeCERT will have no liability to the entities for the content or use of the content available through the hyperlinks that are referenced. Contents Contents 1 Summary 2 Details 2 Recommendations 8 References 8 1 | P a g e Summary As the leading trusted secure cyber coordination center in the region, aeCERT would like to inform you of the latest Microsoft security updates that aim to patch recent vulnerabilities discovered in a number of their products. In order to be protected from security risks, users should apply the patches as soon as the security updates are released. Details Microsoft releases security updates on the third Tuesday of every month – a tradition that has been called Patch Tuesday. These security updates affect a number of their products and systems. The security updates released by Microsoft for the Patch Tuesday of May 2020 affect a numerous number of vulnerabilities, which are: • 13 vulnerabilities of Critical severity • 91 vulnerabilities of Important severity • 3 vulnerabilities of Moderate severity • 4 vulnerabilities of Low severity The vulnerabilities can be summarized in the table below, which illustrates a list of the vulnerabilities affected by the security update, as well as the product families impacted by the vulnerabilities, and the CVE numbers. Product Family CVE Number Vulnerability Impact Severity .NET Core CVE-2020-1161 ASP.NET Core Denial of Service Vulnerability Important .NET Core & .NET Framework Denial of Service .NET Core CVE-2020-1108 Important Vulnerability .NET Framework Elevation of Privilege .NET Framework CVE-2020-1066 Important Vulnerability Microsoft Active Directory Federation Services Active Directory CVE-2020-1055 Important Cross-Site Scripting Vulnerability Common Log File System Windows Common Log File System Driver CVE-2020-1154 Important Driver Elevation of Privilege Vulnerability Internet Explorer CVE-2020-1092 Internet Explorer Memory Corruption Vulnerability Low MSHTML Engine Remote Code Execution Internet Explorer CVE-2020-1064 Moderate Vulnerability 2 | P a g e Internet Explorer CVE-2020-1062 Internet Explorer Memory Corruption Vulnerability Moderate Internet Explorer CVE-2020-1093 VBScript Remote Code Execution Vulnerability Moderate Microsoft Dynamics 365 (On-Premise) Cross Site Microsoft Dynamics CVE-2020-1063 Important Scripting Vulnerability Microsoft Edge CVE-2020-1059 Microsoft Edge Spoofing Vulnerability Important Microsoft Edge CVE-2020-1056 Microsoft Edge Elevation of Privilege Vulnerability Critical Microsoft Edge PDF Remote Code Execution Microsoft Edge CVE-2020-1096 Important Vulnerability Microsoft Graphics CVE-2020-1145 Windows GDI Information Disclosure Vulnerability Important Component Microsoft Graphics Windows Graphics Component Elevation of CVE-2020-1135 Important Component Privilege Vulnerability Microsoft Graphics CVE-2020-1179 Windows GDI Information Disclosure Vulnerability Important Component Microsoft Graphics Microsoft Graphics Components Remote Code CVE-2020-1153 Critical Component Execution Vulnerability Microsoft Graphics CVE-2020-1140 DirectX Elevation of Privilege Vulnerability Important Component Microsoft Graphics CVE-2020-0963 Windows GDI Information Disclosure Vulnerability Important Component Microsoft Graphics CVE-2020-1054 Win32k Elevation of Privilege Vulnerability Important Component Microsoft Graphics CVE-2020-1142 Windows GDI Elevation of Privilege Vulnerability Important Component Microsoft Graphics Microsoft Color Management Remote Code CVE-2020-1117 Critical Component Execution Vulnerability Microsoft Graphics CVE-2020-1141 Windows GDI Information Disclosure Vulnerability Important Component Microsoft JET Database Jet Database Engine Remote Code Execution CVE-2020-1176 Important Engine Vulnerability Microsoft JET Database Jet Database Engine Remote Code Execution CVE-2020-1051 Important Engine Vulnerability Microsoft JET Database Jet Database Engine Remote Code Execution CVE-2020-1175 Important Engine Vulnerability Microsoft JET Database Jet Database Engine Remote Code Execution CVE-2020-1174 Important Engine Vulnerability Microsoft Excel Remote Code Execution Microsoft Office CVE-2020-0901 Important Vulnerability 3 | P a g e Microsoft Office Microsoft SharePoint Server Remote Code CVE-2020-1069 Critical SharePoint Execution Vulnerability Microsoft Office CVE-2020-1100 Microsoft Office SharePoint XSS Vulnerability Important SharePoint Microsoft Office CVE-2020-1105 Microsoft SharePoint Spoofing Vulnerability Important SharePoint Microsoft Office Microsoft SharePoint Remote Code Execution CVE-2020-1102 Critical SharePoint Vulnerability Microsoft Office Microsoft SharePoint Remote Code Execution CVE-2020-1024 Critical SharePoint Vulnerability Microsoft Office Microsoft SharePoint Remote Code Execution CVE-2020-1023 Critical SharePoint Vulnerability Microsoft Office CVE-2020-1104 Microsoft SharePoint Spoofing Vulnerability Important SharePoint Microsoft Office CVE-2020-1101 Microsoft Office SharePoint XSS Vulnerability Important SharePoint Microsoft Office CVE-2020-1099 Microsoft Office SharePoint XSS Vulnerability Important SharePoint Microsoft Office Microsoft SharePoint Information Disclosure CVE-2020-1103 Important SharePoint Vulnerability Microsoft Office CVE-2020-1107 Microsoft SharePoint Spoofing Vulnerability Important SharePoint Microsoft Office CVE-2020-1106 Microsoft Office SharePoint XSS Vulnerability Important SharePoint Microsoft Scripting Engine CVE-2020-1060 VBScript Remote Code Execution Vulnerability Low Microsoft Scripting Engine CVE-2020-1065 Scripting Engine Memory Corruption Vulnerability Critical Chakra Scripting Engine Memory Corruption Microsoft Scripting Engine CVE-2020-1037 Critical Vulnerability Microsoft Scripting Engine CVE-2020-1035 VBScript Remote Code Execution Vulnerability Low Microsoft Scripting Engine CVE-2020-1058 VBScript Remote Code Execution Vulnerability Low Windows Clipboard Service Elevation of Privilege Microsoft Windows CVE-2020-1111 Important Vulnerability Windows Background Intelligent Transfer Service Microsoft Windows CVE-2020-1112 Important Elevation of Privilege Vulnerability Windows Error Reporting Elevation of Privilege Microsoft Windows CVE-2020-1082 Important Vulnerability Windows Runtime Elevation of Privilege Microsoft Windows CVE-2020-1086 Important Vulnerability 4 | P a g e Windows Print Spooler Elevation of Privilege Microsoft Windows CVE-2020-1048 Important Vulnerability Windows Runtime Elevation of Privilege Microsoft Windows CVE-2020-1090 Important Vulnerability Windows Error Reporting Elevation of Privilege Microsoft Windows CVE-2020-1088 Important Vulnerability Windows Clipboard Service Elevation of Privilege Microsoft Windows CVE-2020-1166 Important Vulnerability Windows Error Reporting Elevation of Privilege Microsoft Windows CVE-2020-1021 Important Vulnerability Windows Runtime Elevation of Privilege Microsoft Windows CVE-2020-1164 Important Vulnerability Windows Clipboard Service Elevation of Privilege Microsoft Windows CVE-2020-1165 Important Vulnerability Windows State Repository Service Elevation of Microsoft Windows CVE-2020-1184 Important Privilege Vulnerability Windows State Repository Service Elevation of Microsoft Windows CVE-2020-1188 Important Privilege Vulnerability Windows State Repository Service Elevation of Microsoft Windows CVE-2020-1191 Important Privilege Vulnerability Windows State Repository Service Elevation of Microsoft Windows CVE-2020-1185 Important Privilege Vulnerability Windows State Repository Service Elevation of Microsoft Windows CVE-2020-1187 Important Privilege Vulnerability Windows Runtime Elevation of Privilege Microsoft Windows CVE-2020-1125 Important Vulnerability Windows State Repository Service Elevation of Microsoft Windows CVE-2020-1131 Important Privilege Vulnerability Windows Clipboard Service Elevation of Privilege Microsoft Windows CVE-2020-1121 Important Vulnerability Connected User Experiences and Telemetry Service Microsoft Windows CVE-2020-1123 Important Denial of Service Vulnerability Windows Error Reporting Manager Elevation of Microsoft Windows CVE-2020-1132 Important Privilege Vulnerability Microsoft Windows Elevation of Privilege Microsoft Windows CVE-2020-1010 Important Vulnerability Media Foundation Memory Corruption Microsoft Windows CVE-2020-1028 Critical Vulnerability 5 | P a g e Media Foundation Memory Corruption Microsoft Windows CVE-2020-1136 Critical Vulnerability Windows Runtime Elevation of Privilege Microsoft Windows CVE-2020-1139 Important Vulnerability Windows State Repository Service Elevation of Microsoft Windows CVE-2020-1144 Important Privilege Vulnerability Windows Runtime Elevation of Privilege Microsoft Windows CVE-2020-1149 Important Vulnerability Microsoft Windows CVE-2020-1076 Windows Denial of Service Vulnerability Important Microsoft Windows CVE-2020-1143 Win32k