After a flurry of zero-day vulnerabilities in recent editions, May’s Patch Tuesday finally gives Windows users a month off having to fix ‘big’ exploited or public flaws.
The catch is it’s still one of the biggest patch rounds Microsoft has ever released, featuring 111 CVE-level bug fixes (the record being March’s 115 fixes), nearly half of which are in Windows itself.
Of these, 16 are rated critical, all but one of which are Remote Code Execution (RCE), again a smaller haul of top-rated flaws than has recently been the case.
Beyond that, Office SharePoint accounts for 12 CVEs, with 10 from the Windows Graphic Component, five in the Scripting Engine, and four in the Jet Database engine.
A good place to start is with the browser-related bugs, not because there are a lot of them but because they will affect lots of Windows computers.
These include CVE-2020-1062, a critical RCE bug affecting Internet Explorer code that’s still buried inside Windows 10, which doubles up with CVE-2020-1035, a VBScript RCE affecting IE 11. Neither is public, but the browser theme prompts Microsoft to mark it as “exploitation more likely,” which should be taken as a warning.
Edge provides CVE-2020-1056, a critical Elevation of Privilege (EoP) flaw which could be exploited by luring victims to a malicious website. Two more Edge issues marked ‘important’ are CVE-2020-1059, a spoofing bug, and CVE-2020-1096, which could be exploited using a malicious PDF opened via a link.
Other criticals to watch for include CVE-2020-1117 in the in Windows Microsoft Color Management dll, and CVE-2020-1126, a memory corruption problem in Windows Media Foundation. Both can be exploited by persuading a user to visit a malicious website.
Beyond the critical flaws, three marked ‘important’ stand out, again because Microsoft thinks they are more likely to be exploited. These are CVE-2020-1054 and CVE-2020-1143, both allowing EoP in Win32, and CVE-2020-1135, a flaw in the Windows Graphics Component discovered during this year’s virtual Pwn2Own hacking contest.
Adobe
Proof that Adobe has been saving up its fixes for Acrobat and Reader arrives in the form of APSB20-24, which addresses 24 CVEs, including 12 that are critical. The company also patches 12 flaws, including four marked critical, in the DNG Software Development Kit.
None of these are public or currently being exploited, but all flaws in ubiquitous programs such as Reader should be a priority fix.
That’s on top of a large pile of flaws Adobe fixed in its Magento, Bridge and Illustrator software in its stable two weeks ago.