Tuesday, June 9, 2020

Microsoft Patch Tuesday for June 2020 — Snort rules and prominent vulnerabilities

By Jon Munshaw. 

Microsoft released its monthly security update Tuesday, disclosing more than 120 vulnerabilities across its array of products.

While none of the vulnerabilities disclosed have been exploited in the wild, users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation. 

The security updates cover several different products including the VBScript engine, SharePoint file-sharing service and GDI+.

Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For complete details, check out the latest Snort advisory here.

One of the most urgent patches concerns CVE-2020-1248, a remote code execution vulnerability in the Windows Graphics Device Interface (GDI). An attacker could exploit this vulnerability by either tricking the user into opening a specially crafted web page or a malicious file via social engineering techniques. If successful, the attacker could then leverage the vulnerability in a way that would give them full control of the affected system in the context of the current user. CVE-2020-1248 has a CVSS of 8.4 out of 10.

Microsoft Excel also contains two remote code execution vulnerabilities — CVE-2020-1225 and CVE-2020-1226. Microsoft considers both bugs “important.” An adversary can exploit this vulnerability by tricking a user into opening a specific Excel file. A user must open the file in Excel — the Preview pane is not an attack vector. If successful, the adversary will gain the ability to remotely execute code in the context of the current user.

Another important vulnerability is CVE-2020-1301 — a remote code execution bug in Windows SMBv1. An attacker could send a specially crafted packet to an SMBv1 server to gain the ability to execute arbitrary code on an affected server. Users are encouraged to update their servers and disable SMBv1 as an alternative workaround.

It’s also worth noting CVE-2020-1223, a remote code execution vulnerability in some Android versions of Word. This bug arises when the Android version of the Word app fails to properly handle certain files, potentially allowing an attacker to remotely execute code on the affected device. Users are encouraged to use the Google Play store to update the app. 

The vast majority of the other vulnerabilities in this month’s Patch Tuesday are considered important. Visit Microsoft’s update page for complete details. 

In response to these vulnerability disclosures, Talos is releasing a new SNORTⓇ rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 52213 - 52217, 54191 - 54194, 54219, 54220, 54230 - 54240, 54245 - 54250, 54270 and 54271.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.