Microsoft fixed multi critical vulnerabilities on its products
Microsoft is rolling out the May 2020 Patch Tuesday. This security update fixed 111 patch vulnerabilities, mainly covers the Windows operating system, IE / Edge browser, ChakraCore, Dynamics, Visual Studio, Android applications, .Net Framework, Office and Office Services, and Web applications, Microsoft Malware Protection Engine. These include 16 serious vulnerabilities, 95 high-risk vulnerabilities.
CVE-2020-1071: Windows remote access session permission prompt vulnerability
There is a privilege elevation vulnerability when Windows handles errors related to the “Remote Access Common Dialog.” This vulnerability requires an attacker to physically touch the relevant device. An attacker who successfully exploited this vulnerability could run arbitrary code with high privileges and obtain full control of the device.
CVE-2020-1135: Windows graphical component permission prompt vulnerability
There is a UAF vulnerability in the graphical component of Windows. This vulnerability requires an attacker to obtain basic system login permissions. An attacker who successfully exploited this vulnerability was upgraded from a normal user authority to SYSTEM.
CVE-2020-1067: Windows remote code execution vulnerability
A remote code execution vulnerability exists in the Windows operating system’s processing of memory objects. This vulnerability requires an attacker to obtain a domain user account. An attacker who successfully exploited this vulnerability could execute arbitrary code with higher permissions on the affected operating system. And obtain full control of the device.
CVE-2020-1118: Windows Transport Layer Security Denial of Service Vulnerability
There is a null pointer dereference vulnerability in the Windows Diffie-Hellman protocol implementation. This vulnerability requires an attacker to perform TLS communication with the affected system. An attacker can trigger this vulnerability by sending a malicious client key exchange message during the TLS handshake. Successful exploitation of this vulnerability may cause equipment downtime as well as the corresponding lsass.exe process terminates. This leads to a denial of service. This vulnerability affects both the TLS client and the TLS server.
CVE-2020-0901: Excel remote code execution vulnerability
There is a remote code execution vulnerability in Excel’s processing of memory objects. This vulnerability requires an attacker to induce users to open a specially crafted Excel document. An attacker who successfully exploited this vulnerability could gain the same level of system control authority as the attacked user.
We recommend that users install the latest patches in a timely manner.