For the fourth month in a row, Microsoft has patched over 100 CVEs, addressing 129 in the June 2020 Patch Tuesday release.
The updates this month include patches for Microsoft Windows, Microsoft Edge, ChakraCore, Internet Explorer, Microsoft Office, Microsoft Office Services and Web Apps, Windows Defender, Microsoft Dynamics, Visual Studio, Azure DevOps and Adobe Flash Player.
Commenting on the patch Tuesday Satnam Narang, Staff Research Engineer at Tenable said, “Microsoft continues its streak of releasing patches for over 100 CVEs, as June 2020s Patch Tuesday release contains fixes for 129 CVEs, 11 of which are rated as critical. For the second month in a row, none of the vulnerabilities patched this month were exploited in the wild nor publicly disclosed. Most notably in this month’s release are a trio of fixes for vulnerabilities in Microsoft Server Message Block (SMB), two of which reside in SMB version 3.1.1 (SMBv3).
All three vulnerabilities are rated as Exploitation More Likely based on Microsoft’s Exploitability Index. These include a denial of service vulnerability (CVE-2020-1284) and an information disclosure vulnerability (CVE-2020-1206) in SMBv3. The former can be exploited by an unauthenticated, remote attacker, while the latter requires the attacker to be authenticated.
These flaws in SMBv3 follow in the footsteps of CVE-2020-0796, an unauthenticated remote code execution flaw in SMBv3 that was patched back in March that has since been observed being exploited in the wild. CVE-2020-1301 completes the trio of SMB vulnerabilities this month. It is a remote code execution vulnerability in SMBv1.
Now, this might create a sense of deja vu, because it reminds us of EternalBlue, another remote code execution vulnerability in SMBv1 that was used in the WannaCry ransomware attacks of 2017. However, the difference between these two is that EternalBlue could be exploited by an unauthenticated attacker, whereas this flaw requires authentication, according to Microsoft.
This vulnerability affects Windows 7 and Windows 2008, both of which reached their end of support in January 2020. However, Microsoft has provided patches for both operating systems. Despite this, we strongly recommend disabling SMBv1, as it is a legacy protocol that should no longer be used. Additionally, upgrading from Windows 7 and Windows 2008 is also recommended as Microsoft rarely releases security patches for operating systems that are no longer officially supported.
