Continuing the trend of large Microsoft Patch Tuesdays, this month’s addresses 111 vulnerabilities with 16 of them labeled as Critical. The 16 Critical vulnerabilities cover SharePoint, Browsers, Scripting Engines, Media Foundation, Microsoft Graphics, Microsoft Color Management, and the VS Code Python Extension. Adobe released patches today for Acrobat/Reader, and DNG SDK.
The Browser, Scripting Engine, Media Foundation, Microsoft Graphics, and Microsoft Color Management patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
Similar to last month, Microsoft has also released patches for SharePoint covering four RCE vulnerabilities (CVE-2020-1023, CVE-2020-1024, CVE-2020-1102, CVE-2020-1069). Three of the four RCEs involve uploading a malicious application package to exploit the vulnerabilities, while the other involves uploading a malicious page. These patches should be prioritized for all SharePoint servers.
Visual Studio Code Python Extension RCE
Microsoft also released a patch for an RCE vulnerability the VS Code Python Extension (CVE-2020-1192). Exploiting the vulnerability would require the user to open a malicious file, and would grant the attacker the same rights as the user. All VS Code installations with this extension should prioritized for patching.
Autodesk FBX Library
In late April, Microsoft issued out-of-band updates for Office, 3D Viewer, and Paint 3D which use the Autodesk FBX Library to render 3D content. Vulnerabilities in this library can lead to remote code execution if a user opens a specially crafted file.
Adobe issued patches today covering multiple vulnerabilities in Acrobat/Reader and DNG SDK. The patches for Acrobat/Reader are labeled as Priority 2, while DNS SDK’s patches are set to Priority 3. These patches resolve multiple Critical vulnerabilities.
While none of the vulnerabilities disclosed in Adobe’s release are known to be Actively Attacked today, all patches should be prioritized on systems with these products installed.