Microsoft Patch Tuesday Tops 100 CVEs For Third Month
Microsoft has fixed 111 vulnerabilities in its latest update round, the third month in a row that the number of addressed CVEs has exceeded a century.
Although there are no zero-day bugs to fix this month, 13 of the flaws were rated as critical, with many of them exploitable simply by visiting a web page or server, according to Recorded Future senior solutions architect, Allan Liska.
He said organizations should prioritize CVE-2020-1117, a remotely executable (RCE) vulnerability in the Microsoft Color Management Module (ICM32.dll), which could be exploited if an attacker persuades a victim to visit a website under their control, or via malvertizing.
Another RCE bug, CVE-2020-1153, exists in the Microsoft Graphics Component and affects end-of-life systems including Windows 7 and Server 2008.
There are also four critical flaws to patch in Microsoft SharePoint, versions 2013 to 2019: CVE-2020-1023, CVE-2020-1024, CVE-2020-1069 and CVE-2020-1102.
“SharePoint is increasingly targeted by attackers and similar vulnerabilities have been exploited in the wild,” explained Liska. “With more people working from home during the pandemic, it is likely these vulnerabilities will be targeted once proof-of-concept code is developed.”
Meanwhile, Todd Schell, senior product manager at Ivanti, argued that sysadmins should take care when prioritizing which bugs to fix first.
“What is interesting, and often overlooked, is that seven of the 10 CVEs at higher risk of exploit are only rated as important. It is not uncommon to look at the critical vulnerabilities as the most concerning, but many of the vulnerabilities that end up being exploited are actually the ones rated as important,” he explained.
“If your prioritization stops at vendor severity or even CVSS scores above a certain level, you may want to reassess your metrics. Look to other risk metrics such as publicly disclosed, exploited (obviously) and exploitability assessment (Microsoft specific) to expand your prioritization process.”