Rites of spring

Microsoft’s May edition of Patch Tuesday landed yesterday, replete with critical updates for SharePoint Server as well as client-side patches for the Internet Explorer (IE) and Edge web browsers.

Although the update batch tackles a bumper 111 flaws – including 16 rated as ‘critical’ – none have been exploited in the wild to date, according to Microsoft.

Share and share alike

A series of patches for SharePoint collectively address 12 security vulnerabilities, including four critical flaws that pose a remote code execution risk.

“A remote code execution vulnerability exists in Microsoft SharePoint Server when it fails to properly identify and filter unsafe ASP.Net web controls,” Microsoft explains in an advisory on CVE-2020-1069, one of the bugs flagged as critical.

“An authenticated attacker who successfully exploited the vulnerability could use a specially crafted page to perform actions in the security context of the SharePoint application pool process.”

Although this may sound bad, exploitation of the flaw is reckoned by Microsoft to be difficult.

Seven spoofing weaknesses, and an information disclosure vulnerability (CVE-2020-1103) also affecting various components of SharePoint are likewise classified as “less likely” to be exploited by attackers.

The “important” information disclosure vulnerability exists where “certain modes of the search function in Microsoft SharePoint Server are vulnerable to cross-site search attacks,” Microsoft states.

SharePoint offers a web-based collaborative platform that ties in with Microsoft Office.

What browser vulnerabilities were patched this month?

Microsoft’s May patch batch collectively handles  111 CVEs covering Microsoft Windows, Microsoft EdgeHTML, Internet Explorer, Microsoft Office, and more.

The updates to Microsoft’s browser software including fixes for flaws that pose a remote code execution (RCE) risk, as summarized in a blog post by Rapid7, the firm behind the Metasploit penetration testing tool.

RECOMMENDED RDP attacks skyrocket amid Covid-10 lockdown

CVE-2020-1062 allows RCE in Internet Explorer and might be readily exploitable, while various flaws in Edge are also candidates for prompt browser security triage.

Rapid 7 explains: “Three vulnerabilities in Edge could allow spoofing (CVE-2020-1059), RCE (CVE-2020-1096, related to Edge’s PDF reader), or elevation of privilege (CVE-2020-1056) for anyone an attacker can convince to visit a malicious website.”

Triple-digit fixes

Although addressing more than a 100 security flaws may seem like a lot, the figure is around par for the course for Microsoft over recent months.

Satnam Narang, principal research engineer at security vendor Tenable, commented: “Similar to the last two Patch Tuesday releases, this month’s release was another massive one clocking in at 111 CVEs, 16 rated as critical and 95 rated as important.

“It appears that none of the vulnerabilities patched this month were publicly disclosed nor exploited in the wild.”

It’s a lot to take in, but fortunately the SANS Institute Internet Storm Centre has put together a patching matrix that offers help in understanding the relative severity and importance of the scores of flaw fixes released by Microsoft yesterday.

READ MORE Mozilla raises Firefox bug bounty payouts