09
Jun 20

Microsoft Patch Tuesday, June 2020 Edition

Microsoft today released software patches to plug at least 129 security holes in its Windows operating systems and supported software, by some accounts a record number of fixes in one go for the software giant. None of the bugs addressed this month are known to have been exploited or detailed prior to today, but there are a few vulnerabilities that deserve special attention — particularly for enterprises and employees working remotely.

June marks the fourth month in a row that Microsoft has issued fixes to address more than 100 security flaws in its products. Eleven of the updates address problems Microsoft deems “critical,” meaning they could be exploited by malware or malcontents to seize complete, remote control over vulnerable systems without any help from users.

A chief concern among the panoply of patches is a trio of vulnerabilities in the Windows file-sharing technology (a.k.a. Microsoft Server Message Block or “SMB” service). Perhaps most troubling of these (CVE-2020-1301) is a remote code execution bug in SMB capabilities built into Windows 7 and Windows Server 2008 systems — both operating systems that Microsoft stopped supporting with security updates in January 2020. One mitigating factor with this flaw is that an attacker would need to be already authenticated on the network to exploit it, according to security experts at Tenable.

The SMB fixes follow closely on news that proof-of-concept code was published this week that would allow anyone to exploit a critical SMB flaw Microsoft patched for Windows 10 systems in March (CVE-2020-0796). Unlike this month’s critical SMB bugs, CVE-2020-0796 does not require the attacker to be authenticated to the target’s network. And with countless company employees now working remotely, Windows 10 users who have not yet applied updates from March or later could be dangerously exposed right now.

Microsoft Office and Excel get several updates this month. Two different flaws in Excel (CVE-2020-1225 and CVE-2020-1226) could be used to remotely commandeer a computer running Office just by getting a user to open a booby-trapped document. Another weakness (CVE-2020-1229) in most versions of Office may be exploited to bypass security features in Office simply by previewing a malicious document in the preview pane. This flaw also impacts Office for Mac, although updates are not yet available for that platform.

After months of giving us a welcome break from patching, Adobe has issued an update for its Flash Player program that fixes a single, albeit critical security problem. Adobe says it is not aware of any active exploits against the Flash flaw. Mercifully, Chrome and Firefox both now disable Flash by default, and Chrome and IE/Edge auto-update the program when new security updates are available. Adobe is slated to retire Flash Player later this year. Adobe also released security updates for its Experience Manager and Framemaker products.

Windows 7 users should be aware by now that while a fair number of flaws addressed this month by Microsoft affect Windows 7 systems, this operating system is no longer being supported with security updates (unless you’re an enterprise taking advantage of Microsoft’s paid extended security updates program, which is available to Windows 7 Professional and Windows 7 enterprise users).

Before you update with this month’s patch batch, please make sure you have backed up your system and/or important files. It’s not uncommon for a wonky Windows update to hose one’s system or prevent it from booting properly, and some updates even have known to erase or corrupt files. So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

Further reading:

AskWoody and Martin Brinkmann on Patch Tuesday fixes and potential pitfalls

Trend Micro’s Zero Day Initiative June 2020 patch lowdown

U.S-CERT on Active Exploitation of CVE-2020-0796

Tags: , , , , , ,

60 comments

  1. My wife rebooted her win10 machine this morning, the first after the patches went on. Her machine would move the mouse but not open any applications. I did ctl,alt,del and arrowed down to power, reboot. The machine rebooted fine and works ok now.

  2. I’ve read that to exploit this, there must be a shared partition on the server. Is having the default share (e.g. “\\xx.xx.xx.xx\c$” enough to make this exploitable? I want to wait before deploying the monthly rollup (because we all know that Microsoft doesn’t always do enough QA on their updates) but want to make sure I’m not vulnerable.

  3. Updates for macOS apps showed up a week later.

  4. On 17 June 2020 (within this update cycle but NOT on Patch Tuesday) Microsoft released KB4567409 “Microsoft Edge Update for Windows 7 for x64-based Systems”. More information: https://support.microsoft.com/help/4567409

    I visited that page. Though the update’s title explicitly references Windows 7, reading “more information” I found this update also applies to Windows 8.1 which is to say: yep, I know W-7 is no longer supported, but if you’re running W 8.1, this update may be offered to you.

    I scrolled down to the “Installation information” heading:

    “To keep your browser secure and up to date, you are asked to accept automatic updates. By clicking Accept and get started you enable Microsoft Edge to update automatically so that you can always have the latest improvements. These updates are independent of your Windows update settings.”

    That uncontrollable update behavior is a deal-killer for me. Up to you whether it works for you.