Microsoft today issued its Patch Tuesday updates for June 2020, fixing 129 vulnerabilities across its products and services. This marks the company's largest monthly security release to date and fourth consecutive month of more than 100 CVEs (common vulnerabilities and exposures) patched.
Eleven of the bugs addressed today are categorized as Critical, and 118 are classified Important. The vulnerabilities exist in Microsoft Windows, Internet Explorer, Edge browser, ChakraCore, Office, Office Services and Web Apps, Windows Defender, Microsoft Dynamics, Visual Studio, Azure DevOps, and Microsoft Apps for Android. None are publicly known or under active attack.
There are a few interesting trends in this massive release, including fixes for three flaws in the Microsoft Server Message Block (SMB) protocol. Two of these reside in SMBv3: One is a denial-of-service bug (CVE-2020-1284) that requires an attacker to be authenticated; another is an information disclosure vulnerability (CVE-2020-1206) that does not require authentication. The third is CVE-2020-1301, a remote code execution (RCE) flaw in SMBv1 that requires authentication.
Satnam Narang, staff research engineer with Tenable, points out the latter may remind some of EternalBlue, the RCE vulnerability in SMBv1 used in the WannaCry ransomware attack. Unlike EternalBlue, CVE-2020-1301 requires an authenticated attacker. It affects Windows 7 and 2008, both of which reached end of support in January 2020 but have received patches, he points out.
"Despite this, we strongly recommend disabling SMBv1, ..
Support the originator by clicking the read the rest link below.
