Patch Tuesday, it is that wonderful time a year when we find out how many security holes you have been sitting on without knowing it. This month 129 issues are getting patched, which is a new Microsoft record. You always like to see excellence achieved with personal bests.
In better news only 11 are rated critical this month, which is a subtle decrease from 16 last month, the Best news for this month none of these patches are actively being exploited, or publicly known. Keep to your patching schedule (hopefully already automated), and these will be gone before they could ever have been an issue for you. Let’s take a look at some of the patches I looked into randomly!
Some highlights (or lowlights)
CVE-2020-1213: This one is a remote execution exploit for VBScript, one of 3 for VBScript that got labeled as critical. This one allows them to run arbitrary code up to the current user rights. It does require the user to click on a corrupted file or go to a compromised website. It would allow them to do anything to the computer their access is allowed, so if it was admin access, they could do just about anything. Luckily with proper end-user training and you're up to date patches, this one will fade away before you even realized it was a risk.
CVE-2020-1315: This one does not allow a baddy to run anything on the machines, but they can pull information off the machine. Using IE and going to a malicious website will enable them to obtain a lot of data, which may be enough to do some damage in future attempts. The patch will modify how IE handles objects in memory, and everything will be just peachy.
CVE-2020-1283: I bring this one up to highlight that the classics never go out of style. This one is a vulnerability that will allow Denial of Service attacks. It is not listed as critical as it is not something they could run remote but would require a user to click on a corrupted file or share to get it to work. It would not give them any access to the machine, but they could make whatever machine that licked on it stop responding.
June is an interesting month, a new record for vulnerabilities overall, but less critical than we have seen in some time. Less critical means we still have some, make sure you are keeping your environment safe and up to date. I have a suspicion that we may have a new yearly record by the end of this month by the rate we have been closing vulnerabilities this year. I will probably add all that up and let you know if it is true next month. Happy patching!
Jordan had spent his life wondering why tasks he didn’t like to do had no options to complete themselves. Eventually he had to make that happen on his own. It turned out that he enjoyed making tasks complete themselves, and PDQ thought that is something he should talk about on the internet while drinking most Thursdays on the PDQ webcast.