Microsoft 10 czerwca 2020 roku wydał nowy pakiet aktualizacji bezpieczeństwa w ramach comiesięcznego Patch Tuesday. Wydano łącznie 123 poprawek bezpieczeństwa, w tym 17 oznaczonych jako krytyczne.

Najistotniejsze podatności:

CVE-2020-1350 – SIGRed to krytyczna luka z podstawowym wynikiem CVSS 10, typu REC (remote code execution), wpływająca na serwery DNS systemu Windows, w wielu wersjach Windows Server i może zostać wywołana przez złośliwą odpowiedź DNS. Ponieważ usługa działa z podwyższonymi uprawnieniami (SYSTEM), jeśli zostanie skutecznie wykorzystana, osoba atakująca otrzymuje uprawnienia administratora domeny, skutecznie zagrażając całej infrastrukturze korporacyjnej.

CVE-2020-1435 – krytyczna luka RCE wpływająca na Graphics Device Interface (GDI). Atakujący może wykorzystać tę lukę, przekonując użytkowników do wyświetlenia specjalnie spreparowanej witryny lub wysyłając im załącznik e-mail ze złośliwym załącznikiem.

Poniżej przedstawiamy szczegółowe zestawienie aktualizacji:

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
.NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability
CVE-2020-1147 No No More Likely More Likely Critical
Azure DevOps Server Cross-site Scripting Vulnerability
CVE-2020-1326 No No Less Likely Less Likely Important
Bond Denial of Service Vulnerability
CVE-2020-1469 No No Less Likely Less Likely Important
Connected User Experiences and Telemetry Service Information Disclosure Vulnerability
CVE-2020-1386 No No Less Likely Less Likely Important 5.5 5.0
DirectWrite Remote Code Execution Vulnerability
CVE-2020-1409 No No Less Likely Less Likely Critical 7.8 7.0
GDI+ Remote Code Execution Vulnerability
CVE-2020-1435 No No Less Likely Less Likely Critical 8.8 7.9
Group Policy Services Policy Processing Elevation of Privilege Vulnerability
CVE-2020-1333 No No Less Likely Less Likely Important 6.7 6.0
Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability
CVE-2020-1032 No No Less Likely Less Likely Critical 8.0 7.6
CVE-2020-1036 No No Less Likely Less Likely Critical 8.0 7.6
CVE-2020-1040 No No Less Likely Less Likely Critical 8.0 7.6
CVE-2020-1041 No No Less Likely Less Likely Critical 8.0 7.6
CVE-2020-1043 No No Less Likely Less Likely Critical 8.0 7.6
CVE-2020-1042 No No Less Likely Less Likely Critical 8.0 7.6
Jet Database Engine Remote Code Execution Vulnerability
CVE-2020-1400 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1401 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1407 No No Less Likely Less Likely Important 7.8 7.0
LNK Remote Code Execution Vulnerability
CVE-2020-1421 No No Less Likely Less Likely Critical 7.5 6.7
Local Security Authority Subsystem Service Denial of Service Vulnerability
CVE-2020-1267 No No Less Likely Less Likely Important 4.9 4.4
Microsoft Defender Elevation of Privilege Vulnerability
CVE-2020-1461 No No Less Likely Less Likely Important 7.8 7.0
Microsoft Edge PDF Information Disclosure Vulnerability
CVE-2020-1433 No No Less Likely Less Likely Important 4.3 3.9
Microsoft Excel Remote Code Execution Vulnerability
CVE-2020-1240 No No Less Likely Less Likely Important
Microsoft Graphics Component Information Disclosure Vulnerability
CVE-2020-1351 No No Less Likely Less Likely Important 5.5 5.0
Microsoft Graphics Components Remote Code Execution Vulnerability
CVE-2020-1412 No No Less Likely Less Likely Important 7.5 6.7
Microsoft Graphics Remote Code Execution Vulnerability
CVE-2020-1408 No No Less Likely Less Likely Important 8.8 7.9
Microsoft Guidance for Enabling Request Smuggling Filter on IIS Servers
ADV200008 No No Less Likely Less Likely Important
Microsoft Office Elevation of Privilege Vulnerability
CVE-2020-1025 No No Less Likely Less Likely Critical
Microsoft Office Information Disclosure Vulnerability
CVE-2020-1342 No No Less Likely Less Likely Important
CVE-2020-1445 No No Less Likely Less Likely Important
Microsoft Office Remote Code Execution Vulnerability
CVE-2020-1458 No No Less Likely Less Likely Important
Microsoft Office SharePoint XSS Vulnerability
CVE-2020-1456 No No Less Likely Less Likely Important
CVE-2020-1450 No No Less Likely Less Likely Important
CVE-2020-1451 No No Less Likely Less Likely Important
Microsoft OneDrive Elevation of Privilege Vulnerability
CVE-2020-1465 No No Less Likely Less Likely Important
Microsoft Outlook Remote Code Execution Vulnerability
CVE-2020-1349 No No Less Likely Less Likely Critical
Microsoft Project Remote Code Execution Vulnerability
CVE-2020-1449 No No Less Likely Less Likely Important
Microsoft SharePoint Reflective XSS Vulnerability
CVE-2020-1454 No No Less Likely Less Likely Important
Microsoft SharePoint Remote Code Execution Vulnerability
CVE-2020-1444 No No Less Likely Less Likely Important
Microsoft SharePoint Spoofing Vulnerability
CVE-2020-1443 No No Less Likely Less Likely Important
Microsoft Word Remote Code Execution Vulnerability
CVE-2020-1446 No No Less Likely Less Likely Important
CVE-2020-1447 No No Less Likely Less Likely Important
CVE-2020-1448 No No Less Likely Less Likely Important
Office Web Apps XSS Vulnerability
CVE-2020-1442 No No Less Likely Less Likely Important
PerformancePoint Services Remote Code Execution Vulnerability
CVE-2020-1439 No No Less Likely Less Likely Critical
Remote Desktop Client Remote Code Execution Vulnerability
CVE-2020-1374 No No More Likely More Likely Critical 7.5 6.7
Skype for Business via Internet Explorer Information Disclosure Vulnerability
CVE-2020-1432 No No Less Likely Less Likely Important 2.4 2.2
Skype for Business via Microsoft Edge (EdgeHTML-based) Information Disclosure Vulnerability
CVE-2020-1462 No No Less Likely Less Likely Important 4.3 3.9
VBScript Remote Code Execution Vulnerability
CVE-2020-1403 No No More Likely More Likely Critical 6.4 5.8
Visual Studio Code ESLint Extention Remote Code Execution Vulnerability
CVE-2020-1481 No No Less Likely Less Likely Important
Visual Studio and Visual Studio Code Elevation of Privilege Vulnerability
CVE-2020-1416 No No Less Likely Less Likely Important
Windows ALPC Elevation of Privilege Vulnerability
CVE-2020-1396 No No Less Likely Less Likely Important 7.8 7.0
Windows ActiveX Installer Service Elevation of Privilege Vulnerability
CVE-2020-1402 No No Less Likely Less Likely Important 7.8 7.0
Windows Address Book Remote Code Execution Vulnerability
CVE-2020-1410 No No Less Likely Less Likely Critical 7.8 7.0
Windows Agent Activation Runtime Information Disclosure Vulnerability
CVE-2020-1391 No No Less Likely Less Likely Important 5.5 5.0
Windows AppX Deployment Extensions Elevation of Privilege Vulnerability
CVE-2020-1431 No No Less Likely Less Likely Important 7.1 6.4
Windows CNG Key Isolation Service Elevation of Privilege Vulnerability
CVE-2020-1359 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1384 No No Less Likely Less Likely Important 7.0 6.3
Windows COM Server Elevation of Privilege Vulnerability
CVE-2020-1375 No No Less Likely Less Likely Important 7.8 7.0
Windows Credential Enrollment Manager Service Elevation of Privilege Vulnerability
CVE-2020-1368 No No Less Likely Less Likely Important 7.8 7.0
Windows Credential Picker Elevation of Privilege Vulnerability
CVE-2020-1385 No No Less Likely Less Likely Important 4.5 4.1
Windows DNS Server Remote Code Execution Vulnerability
CVE-2020-1350 No No More Likely More Likely Critical 10.0 9.0
Windows Diagnostics Hub Elevation of Privilege Vulnerability
CVE-2020-1418 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1393 No No Less Likely Less Likely Important 7.8 7.0
Windows Elevation of Privilege Vulnerability
CVE-2020-1388 No No Less Likely Less Likely Important 7.0 6.3
CVE-2020-1392 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1394 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1395 No No Less Likely Less Likely Important 7.8 7.0
Windows Error Reporting Information Disclosure Vulnerability
CVE-2020-1420 No No Less Likely Less Likely Important 5.5 5.0
Windows Error Reporting Manager Elevation of Privilege Vulnerability
CVE-2020-1429 No No Less Likely Less Likely Important 7.0 6.3
Windows Event Logging Service Elevation of Privilege Vulnerability
CVE-2020-1365 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1371 No No Less Likely Less Likely Important 7.8 7.0
Windows Font Driver Host Remote Code Execution Vulnerability
CVE-2020-1355 No No Less Likely Less Likely Important 7.8 7.0
Windows Font Library Remote Code Execution Vulnerability
CVE-2020-1436 No No Less Likely Less Likely Critical 8.8 7.9
Windows Function Discovery Service Elevation of Privilege Vulnerability
CVE-2020-1085 No No Less Likely Less Likely Important 7.8 7.0
Windows GDI Information Disclosure Vulnerability
CVE-2020-1468 No No Less Likely Less Likely Important 5.5 5.0
Windows Graphics Component Elevation of Privilege Vulnerability
CVE-2020-1381 No No More Likely More Likely Important 7.8 7.0
CVE-2020-1382 No No More Likely More Likely Important 7.8 7.0
Windows Imaging Component Information Disclosure Vulnerability
CVE-2020-1397 No No Less Likely Less Likely Important 4.3 3.9
Windows Kernel Elevation of Privilege Vulnerability
CVE-2020-1336 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1411 No No Less Likely Less Likely Important 7.8 7.0
Windows Kernel Information Disclosure Vulnerability
CVE-2020-1419 No No Less Likely Less Likely Important 5.5 5.0
CVE-2020-1367 No No Less Likely Less Likely Important 5.5 5.0
CVE-2020-1389 No No Less Likely Less Likely Important 5.5 5.0
CVE-2020-1426 No No More Likely More Likely Important 5.5 5.0
Windows Lockscreen Elevation of Privilege Vulnerability
CVE-2020-1398 No No Less Likely Less Likely Important 6.8 6.1
Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability
CVE-2020-1372 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1405 No No Less Likely Less Likely Important 7.1 6.4
Windows Mobile Device Management Diagnostics Information Disclosure Vulnerability
CVE-2020-1330 No No Less Likely Less Likely Important 5.5 5.0
Windows Modules Installer Elevation of Privilege Vulnerability
CVE-2020-1346 No No Less Likely Less Likely Important 7.8 7.0
Windows Network Connections Service Elevation of Privilege Vulnerability
CVE-2020-1373 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1390 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1427 No No Less Likely Less Likely Important 7.0 6.3
CVE-2020-1428 No No Less Likely Less Likely Important 7.0 6.3
CVE-2020-1438 No No Less Likely Less Likely Important 7.0 6.3
Windows Network List Service Elevation of Privilege Vulnerability
CVE-2020-1406 No No Less Likely Less Likely Important 7.0 6.3
Windows Network Location Awareness Service Elevation of Privilege Vulnerability
CVE-2020-1437 No No Less Likely Less Likely Important 7.0 6.3
Windows Picker Platform Elevation of Privilege Vulnerability
CVE-2020-1363 No No Less Likely Less Likely Important 7.8 7.0
Windows Print Workflow Service Elevation of Privilege Vulnerability
CVE-2020-1366 No No Less Likely Less Likely Important 7.0 6.3
Windows Profile Service Elevation of Privilege Vulnerability
CVE-2020-1360 No No Less Likely Less Likely Important 7.8 7.0
Windows Push Notification Service Elevation of Privilege Vulnerability
CVE-2020-1387 No No Less Likely Less Likely Important 7.0 6.3
Windows Resource Policy Information Disclosure Vulnerability
CVE-2020-1358 No No Less Likely Less Likely Important 5.5 5.0
Windows Runtime Elevation of Privilege Vulnerability
CVE-2020-1422 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1353 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1370 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1399 No No More Likely More Likely Important 7.8 7.0
CVE-2020-1404 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1413 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1414 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1415 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1249 No No Less Likely Less Likely Important 7.8 7.0
Windows SharedStream Library Elevation of Privilege Vulnerability
CVE-2020-1463 No No Less Likely Less Likely Important 7.8 7.0
Windows Storage Services Elevation of Privilege Vulnerability
CVE-2020-1347 No No Less Likely Less Likely Important 7.8 7.0
Windows Subsystem for Linux Elevation of Privilege Vulnerability
CVE-2020-1423 No No Less Likely Less Likely Important 7.8 7.0
Windows Sync Host Service Elevation of Privilege Vulnerability
CVE-2020-1434 No No Less Likely Less Likely Important 4.5 4.1
Windows System Events Broker Elevation of Privilege Vulnerability
CVE-2020-1357 No No Less Likely Less Likely Important 7.8 7.0
Windows UPnP Device Host Elevation of Privilege Vulnerability
CVE-2020-1354 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1430 No No Less Likely Less Likely Important 7.8 7.0
Windows USO Core Worker Elevation of Privilege Vulnerability
CVE-2020-1352 No No Less Likely Less Likely Important 7.8 7.0
Windows Update Stack Elevation of Privilege Vulnerability
CVE-2020-1424 No No Less Likely Less Likely Important 7.8 7.0
Windows WalletService Denial of Service Vulnerability
CVE-2020-1364 No No Less Likely Less Likely Important 7.1 6.4
Windows WalletService Elevation of Privilege Vulnerability
CVE-2020-1344 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1362 No No Less Likely Less Likely Important 7.8 7.0
CVE-2020-1369 No No Less Likely Less Likely Important 7.8 7.0
Windows WalletService Information Disclosure Vulnerability
CVE-2020-1361 No No Less Likely Less Likely Important 5.5 5.0
Windows iSCSI Target Service Elevation of Privilege Vulnerability
CVE-2020-1356 No No Less Likely Less Likely Important 7.8 7.0