Microsoft June 2020 Patch Tuesday

Published: 2020-06-09
Last Updated: 2020-06-09 18:02:49 UTC
by Renato Marinho (Version: 1)
2 comment(s)

This month we got patches for 130 vulnerabilities. Of these, 12 are critical and none of them was previously disclosed or is being exploited according to Microsoft. 

Amongst critical vulnerabilities, there is a remote code execution in Windows Graphics Device Interface (GDI) - CVE-2020-1248 . An attacker could exploit this vulnerability by convincing users to view a specially crafted website or sending them an e-mail attachment with a malicious attachment. This vulnerability affects multiple versions of Windows 10 and Windows Server versions 1903, 1909, and 2004. The CVSS v3 score for this vulnerability is 8.40.

There is also an RCE affecting Windows OLE (CVE-2020-1281) due to improper validation of user input. As for the previous vulnerability, an attacker could exploit this vulnerability using specially crafted websites or via e-mail phishing campaigns. This vulnerability affects virtually all supported Windows versions – from Windows 7 to Windows Server 2019. 

The highest CVSS v3 this month (8.60) was given to an important Information Disclosure vulnerability in SMBv3 Client/Server (CVE-2020-1206). According to Microsoft, the information that could be disclosed if an attacker successfully exploits this vulnerability is uninitialized memory. This vulnerability reminds me CVE-2020-0796, known as SMBGhost publish last March. The workarounds suggested by Microsoft are the same for both – disabling SMBv3 compression. But, of course, SMBGhost is an RCE vulnerability.

See Renato's dashboard for a more detailed breakout: https://patchtuesdaydashboard.com

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
Azure DevOps Server HTML Injection Vulnerability
CVE-2020-1327 No No Less Likely Less Likely Important    
Component Object Model Elevation of Privilege Vulnerability
CVE-2020-1311 No No Less Likely Less Likely Important 7.8 7.0
Connected Devices Platform Service Elevation of Privilege Vulnerability
CVE-2020-1211 No No Less Likely Less Likely Important 7.8 7.0
Connected User Experiences and Telemetry Service Denial of Service Vulnerability
CVE-2020-1120 No No Less Likely Less Likely Important 7.1 6.4
CVE-2020-1244 No No Less Likely Less Likely Important 6.3 5.7
Diagnostic Hub Standard Collector Elevation of Privilege Vulnerability
CVE-2020-1202 No No Less Likely Less Likely Important 7.0 6.3
CVE-2020-1203 No No Less Likely Less Likely Important 7.8 7.0
Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability
CVE-2020-1278 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1257 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1293 No No Less Likely Less Likely Important 7.8 7.0
DirectX Elevation of Privilege Vulnerability
CVE-2020-1258 No No Less Likely Less Likely Important 6.4 5.8
GDI+ Remote Code Execution Vulnerability
CVE-2020-1248 No No Less Likely Less Likely Critical 8.4 7.6
Group Policy Elevation of Privilege Vulnerability
CVE-2020-1317 No No Less Likely Less Likely Important 7.8 7.0
Internet Explorer Information Disclosure Vulnerability
CVE-2020-1315 No No Less Likely Less Likely Important 2.4 2.2
Jet Database Engine Remote Code Execution Vulnerability
CVE-2020-1208 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1236 No No Less Likely Less Likely Important 7.8 7.0
June 2020 Adobe Flash Security Update
ADV200010 No No - - Critical    
LNK Remote Code Execution Vulnerability
CVE-2020-1299 No No Less Likely Less Likely Critical 6.8 6.1
Media Foundation Information Disclosure Vulnerability
CVE-2020-1232 No No Less Likely Less Likely Important 6.5 5.9
Media Foundation Memory Corruption Vulnerability
CVE-2020-1238 No No Less Likely Less Likely Important 8.8 7.9
CVE-2020-1239 No No Less Likely Less Likely Important 8.8 7.9
Microsoft Bing Search Spoofing Vulnerability
CVE-2020-1329 No No - - Important    
Microsoft Browser Memory Corruption Vulnerability
CVE-2020-1219 No No More Likely More Likely Critical    
Microsoft Edge (Chromium-based) in IE Mode Spoofing Vulnerability
CVE-2020-1220 No No - - Important 5.4 4.9
Microsoft Edge Information Disclosure Vulnerability
CVE-2020-1242 No No - - Important 4.3 3.9
Microsoft Excel Remote Code Execution Vulnerability
CVE-2020-1225 No No Less Likely Less Likely Important    
CVE-2020-1226 No No Less Likely Less Likely Important    
Microsoft Graphics Component Information Disclosure Vulnerability
CVE-2020-1160 No No Less Likely Less Likely Important 5.5 5.0
Microsoft Office Remote Code Execution Vulnerability
CVE-2020-1321 No No Less Likely Less Likely Important    
Microsoft Office SharePoint XSS Vulnerability
CVE-2020-1183 No No Less Likely Less Likely Important    
CVE-2020-1298 No No Less Likely Less Likely Important    
CVE-2020-1320 No No Less Likely Less Likely Important    
CVE-2020-1177 No No Less Likely Less Likely Important    
CVE-2020-1297 No No Less Likely Less Likely Important    
CVE-2020-1318 No No Less Likely Less Likely Important    
Microsoft Outlook Security Feature Bypass Vulnerability
CVE-2020-1229 No No Less Likely Less Likely Important    
Microsoft Project Information Disclosure Vulnerability
CVE-2020-1322 No No Less Likely Less Likely Important    
Microsoft SharePoint Elevation of Privilege Vulnerability
CVE-2020-1295 No No Less Likely Less Likely Important    
Microsoft SharePoint Server Elevation of Privilege Vulnerability
CVE-2020-1178 No No Less Likely Less Likely Important    
Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2020-1181 No No Less Likely Less Likely Critical    
Microsoft SharePoint Spoofing Vulnerability
CVE-2020-1148 No No Less Likely Less Likely Important    
CVE-2020-1289 No No - - Important    
Microsoft Store Runtime Elevation of Privilege Vulnerability
CVE-2020-1222 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1309 No No Less Likely Less Likely Important 7.8 7.0
Microsoft Windows Defender Elevation of Privilege Vulnerability
CVE-2020-1163 No No Less Likely Less Likely Important    
CVE-2020-1170 No No Less Likely Less Likely Important    
NuGetGallery Spoofing Vulnerability
CVE-2020-1340 No No - - Important    
OLE Automation Elevation of Privilege Vulnerability
CVE-2020-1212 No No Less Likely Less Likely Important 7.8 7.0
OpenSSH for Windows Elevation of Privilege Vulnerability
CVE-2020-1292 No No Less Likely Less Likely Important 8.8 7.9
Scripting Engine Memory Corruption Vulnerability
CVE-2020-1073 No No - - Critical 4.2 3.8
SharePoint Open Redirect Vulnerability
CVE-2020-1323 No No Less Likely Less Likely Important    
System Center Operations Manager Spoofing Vulnerability
CVE-2020-1331 No No - - Important    
VBScript Remote Code Execution Vulnerability
CVE-2020-1213 No No More Likely More Likely Critical    
CVE-2020-1214 No No More Likely More Likely Important    
CVE-2020-1215 No No More Likely More Likely Important    
CVE-2020-1216 No No More Likely More Likely Critical    
CVE-2020-1230 No No More Likely More Likely Important 7.5 6.7
CVE-2020-1260 No No More Likely More Likely Critical 6.4 5.8
Visual Studio Code Live Share Information Disclosure Vulnerability
CVE-2020-1343 No No - - Important    
Win32k Elevation of Privilege Vulnerability
CVE-2020-1207 No No More Likely More Likely Important 6.4 5.8
CVE-2020-1247 No No More Likely More Likely Important 7.0 6.3
CVE-2020-1310 No No Less Likely Less Likely Important 6.4 5.8
CVE-2020-1251 No No More Likely More Likely Important 7.0 6.3
CVE-2020-1253 No No More Likely More Likely Important 6.4 5.8
Win32k Information Disclosure Vulnerability
CVE-2020-1290 No No Less Likely Less Likely Important 5.5 5.0
Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability
CVE-2020-1255 No No Less Likely Less Likely Important 8.5 7.6
Windows Backup Service Elevation of Privilege Vulnerability
CVE-2020-1271 No No Less Likely Less Likely Important 7.8 7.0
Windows Bluetooth Service Elevation of Privilege Vulnerability
CVE-2020-1280 No No Less Likely Less Likely Important 7.8 7.0
Windows Denial of Service Vulnerability
CVE-2020-1283 No No Less Likely Less Likely Important 5.5 5.0
Windows Diagnostics & feedback Information Disclosure Vulnerability
CVE-2020-1296 No No Less Likely Less Likely Important 5.0 4.5
Windows Elevation of Privilege Vulnerability
CVE-2020-1324 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1162 No No Less Likely Less Likely Important 7.8 7.0
Windows Error Reporting Elevation of Privilege Vulnerability
CVE-2020-1234 No No Less Likely Less Likely Important 7.8 7.0
Windows Error Reporting Information Disclosure Vulnerability
CVE-2020-1261 No No Less Likely Less Likely Important 5.5 5.0
CVE-2020-1263 No No Less Likely Less Likely Important 5.5 5.0
Windows Error Reporting Manager Elevation of Privilege Vulnerability
CVE-2020-1197 No No Less Likely Less Likely Important 6.3 5.7
Windows Feedback Hub Elevation of Privilege Vulnerability
CVE-2020-1199 No No Less Likely Less Likely Important 7.8 7.0
Windows GDI Elevation of Privilege Vulnerability
CVE-2020-0915 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-0916 No No Less Likely Less Likely Important 7.8 7.0
Windows GDI Information Disclosure Vulnerability
CVE-2020-1348 No No Less Likely Less Likely Important 5.5 5.0
Windows Host Guardian Service Security Feature Bypass Vulnerability
CVE-2020-1259 No No Less Likely Less Likely Important 4.3 3.9
Windows Installer Elevation of Privilege Vulnerability
CVE-2020-1277 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1312 No No Less Likely Less Likely Important    
CVE-2020-1272 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1302 No No Less Likely Less Likely Important 7.8 7.0
Windows Kernel Elevation of Privilege Vulnerability
CVE-2020-0986 No No Less Likely Less Likely Important    
CVE-2020-1237 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1246 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1262 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1269 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1274 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1275 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1307 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1316 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1264 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1266 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1273 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1276 No No Less Likely Less Likely Important 7.8 7.0
Windows Kernel Security Feature Bypass Vulnerability
CVE-2020-1241 No No More Likely More Likely Important 5.3 4.8
Windows Lockscreen Elevation of Privilege Vulnerability
CVE-2020-1279 No No Less Likely Less Likely Important 7.8 7.0
Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability
CVE-2020-1204 No No Less Likely Less Likely Important 6.3 5.7
Windows Modules Installer Service Elevation of Privilege Vulnerability
CVE-2020-1254 No No Less Likely Less Likely Important 7.8 7.0
Windows Network Connections Service Elevation of Privilege Vulnerability
CVE-2020-1291 No No Less Likely Less Likely Important 7.0 6.3
Windows Network List Service Elevation of Privilege Vulnerability
CVE-2020-1209 No No Less Likely Less Likely Important 7.0 6.3
Windows Now Playing Session Manager Elevation of Privilege Vulnerability
CVE-2020-1201 No No Less Likely Less Likely Important 7.8 7.0
Windows OLE Remote Code Execution Vulnerability
CVE-2020-1281 No No Less Likely Less Likely Critical 7.8 7.0
Windows Print Configuration Elevation of Privilege Vulnerability
CVE-2020-1196 No No Less Likely Less Likely Important 7.0 6.3
Windows Registry Denial of Service Vulnerability
CVE-2020-1194 No No Less Likely Less Likely Important 5.5 5.0
Windows Remote Code Execution Vulnerability
CVE-2020-1300 No No Less Likely Less Likely Critical 7.8 7.0
Windows Runtime Elevation of Privilege Vulnerability
CVE-2020-1334 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1231 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1233 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1235 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1282 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1265 No No - - Important 7.8 7.0
CVE-2020-1304 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1306 No No Less Likely Less Likely Important 7.8 7.0
Windows Runtime Information Disclosure Vulnerability
CVE-2020-1217 No No Less Likely Less Likely Important 7.0 6.3
Windows SMB Remote Code Execution Vulnerability
CVE-2020-1301 No No More Likely More Likely Important 7.5 6.7
Windows SMBv3 Client/Server Denial of Service Vulnerability
CVE-2020-1284 No No - - Important 7.5 6.7
Windows SMBv3 Client/Server Information Disclosure Vulnerability
CVE-2020-1206 No No More Likely More Likely Important 8.6 7.7
Windows Service Information Disclosure Vulnerability
CVE-2020-1268 No No Less Likely Less Likely Important 5.5 5.0
Windows Shell Remote Code Execution Vulnerability
CVE-2020-1286 No No Less Likely Less Likely Critical 7.8 7.0
Windows State Repository Service Elevation of Privilege Vulnerability
CVE-2020-1305 No No Less Likely Less Likely Important 7.8 7.0
Windows Text Service Framework Elevation of Privilege Vulnerability
CVE-2020-1314 No No Less Likely Less Likely Important 7.0 6.3
Windows Update Orchestrator Service Elevation of Privilege Vulnerability
CVE-2020-1313 No No Less Likely Less Likely Important    
Windows WLAN Service Elevation of Privilege Vulnerability
CVE-2020-1270 No No Less Likely Less Likely Important 7.8 7.0
Windows WalletService Elevation of Privilege Vulnerability
CVE-2020-1294 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1287 No No Less Likely Less Likely Important 7.8 7.0
Word for Android Remote Code Execution Vulnerability
CVE-2020-1223 No No - - Important    

--
Renato Marinho
Morphus Labs| LinkedIn|Twitter

Keywords:
2 comment(s)
ISC Stormcast For Tuesday, June 9th 2020 https://isc.sans.edu/podcastdetail.html?id=7030

Comments

What's this all about ..?

Anonymous

Dec 3rd 2022
10 months ago

password reveal .

Anonymous

Dec 3rd 2022
10 months ago

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

Anonymous

Dec 26th 2022
9 months ago

https://thehomestore.com.pk/

Anonymous

Dec 26th 2022
9 months ago

<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>

Anonymous

Dec 26th 2022
9 months ago

<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>

Anonymous

Dec 26th 2022
9 months ago

https://defineprogramming.com/

Anonymous

Dec 26th 2022
9 months ago

https://defineprogramming.com/

https://defineprogramming.com/

Dec 26th 2022
9 months ago

Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/

https://defineprogramming.com/

Dec 26th 2022
9 months ago

Enter corthrthmment here...

rthrth

Jan 2nd 2023
9 months ago

Login here to join the discussion.


Diary Archives