Microsoft patches 111 vulnerabilities in May 2020 Patch Tuesday
No zero-days patched in the latest release
Microsoft has released its May 2020 Patch Tuesday update, addressing a total of 111 security vulnerabilities across 12 different products.
May Patch Tuesday update is the third-largest in Microsoft's history. The other two large updates were released in March and April this year, in which the company patched 115 and 113 bugs, respectively.
Of the 111 security bugs fixed this month, 13 are rated as 'critical', meaning they can be easily exploited by hackers, potentially allowing them to take full control of the target machine.
Among other vulnerabilities, 91 are classified as "Important", three are 'Moderate' while four are 'Low' in severity.
No zero-day vulnerabilities have been patched by Microsoft in this month's security update.
According to Microsoft, the May 2020 security release consists of updates for the following software:
- Microsoft Windows
- Microsoft Edge (Chromium-based)
- Microsoft Edge (EdgeHTML-based)
- Internet Explorer
- ChakraCore
- Windows Defender
- Microsoft Office and Microsoft Office Services and Web Apps
- Microsoft Dynamics
- Visual Studio
- .NET Core
- .NET Framework
- Power BI
In Edge browser, Microsoft fixed three critical bugs which could allow an attacker to execute arbitrary code by tricking a user into visiting a malicious website. Of these three bugs, CVE-2020-1056 is an elevation of privilege vulnerability, CVE-2020-1059 is spoofing vulnerability and CVE-2020-1096 is PDF remote code execution vulnerability, as per Microsoft.
Other notable vulnerabilities patched this month include two RCE flaws - CVE-2020-1126 in Windows Media Foundation and CVE-2020-1117 in Microsoft Colour Management. Hackers can exploit these bugs by tricking a user into visiting a website with exploit code or opening a malicious email attachment.
CVE-2020-1023 and CVE-2020-1102 are two critical RCE flaws affecting SharePoint. These flaws could enable attackers to make changes in the system, read or delete contents, or directly execute code.
Another notable flaw impacting SharePoint is CVE-202-1024, which could allow an attacker to run arbitrary code from the SharePoint server farm account and SharePoint application pool, thereby impacting all users connected into the platform.
Microsoft has patched two bugs in Visual Studio. Of them, CVE-2020-1192 is rated as critical, while CVE-2020-1171 is classified as an important vulnerability.