icetray - Fotolia
No public disclosures or zero-days for June Patch Tuesday will make rolling out Microsoft's fixes less challenging, but administrators should take extra care with two vulnerabilities that could slip through the patching process.
For the fourth month in a row, Microsoft delivered corrections in the triple digits, reaching a high-water mark of 129 for June Patch Tuesday. Most of this month's fixes are located in the Windows operating system and Microsoft's web browsers, but administrators will want to keep a close eye on an update related to Adobe Flash Player and a fix for Windows Defender.
Microsoft's security advisory ADV200010 details a critical remote code execution vulnerability (CVE-2020-9633) affecting Windows client and server OSes running Adobe Flash Player builds before version 220.127.116.117 that, if exploited, could let an attacker run code in the context of the current user. The Microsoft security update corrects this issue while the advisory offers additional mitigation recommendations to reduce the likelihood of an exploit in the Adobe product that will reach end of support at the end of this year.
"Adobe is spending significantly less time on Flash Player and only resolving vulnerabilities that get reported," said Chris Goettl, director of product management and security at Ivanti, a security and IT management vendor based in South Jordan, Utah. "Even though the end of life isn't coming until December, we recommend people get Adobe Flash out of their environment as soon as possible."
An elevation-of-privilege vulnerability (CVE-2020-1163) in Windows Defender, rated important, affects Windows client and server systems and several security products, such as Microsoft Security Essentials and Microsoft System Center Endpoint Protection. The Windows Defender antimalware product has its own update engine, meaning it falls outside of the cumulative update model. This further complicates patching because it requires the administrator to check each affected system.
"Microsoft has tried to make the update process transparent, but when it doesn't work, how do you know? For a lot of companies, it's probably an audit blind spot," Goettl said. "If threat actors are already involved, have they done something to prevent or block Windows Defender from updating? If so, then you've got a problem."
SharePoint receives a sizeable number of patches again
Of the 129 vulnerabilities for June Patch Tuesday, 11 are rated critical, with 10 of those affecting the Windows client and server operating systems.
The remaining critical bug is a SharePoint Server remote code execution vulnerability (CVE-2020-1181) that has an "exploitation less likely" rating, most likely because the attacker needs credentials to run a specially crafted page on the SharePoint server. The bug is one of 12 unique vulnerabilities in SharePoint that Microsoft addressed this month, the same number as last month.
The coronavirus pandemic has prompted more companies to invest in the Office 365 collaboration platform, including a shift to the Microsoft Teams app, which uses SharePoint as the underpinning technology to share and store files.
"It's not surprising to see the vulnerability counts for SharePoint go up because more people are using it and more defects are being escalated to Microsoft through support cases," Goettl said. "Also, with more people using it, threat actors and security researchers take more of an interest."
Federal agency warns of heightened threat for unpatched systems
On June 5, the U.S. Cybersecurity and Infrastructure Security Agency issued a warning that certain Windows systems were at greater risk now that threat actors were using proof-of-concept code to exploit a critical vulnerability (CVE-2020-0796) -- dubbed by some security researchers as SMBGhost -- that Microsoft corrected in March.
The Microsoft Server Message Block 3.1.1 (SMBv3) protocol compression remote-code execution vulnerability exists in Windows 10 (versions 1903 and 1909) systems and Windows Server (versions 1903 and 1909) systems that have not been patched since March 12, when Microsoft released an out-of-band update. To exploit the vulnerability on a server system, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit a client system, the attacker would need to convince a user to connect to a malicious SMBv3 server.
In addition to applying the security update for these systems, Microsoft also recommends blocking TCP port 445 and preventing SMB traffic from moving beyond the network perimeter.