Top Windows Vulnerabilities: May 2020 Update

Every month, more than a thousand software vulnerabilities get reported or updated, and May 2020 was no different. While the numbers dropped slightly compared to March and April, VulnDB registered 1,225 new vulnerabilities in May, with most of these vulnerabilities affecting the widely used family of Microsoft Windows products.

In total, Microsoft released patched for 111 vulnerabilities for various products, with 16 of the CVEs rated critical and the remaining 95 as classified as important. Adobe also released patches for 36 vulnerabilities in May.

There were quite a few Elevation Of Privilege (EoP) vulnerabilities that would allow an attacker to increase their access to a system. They usually require the attacker to have access to the system in order to conduct the exploit, but they can potentially lead to further attacks once successful.

1. The first example, CVE-2020-1054, uses a flaw in the Windows kernel-mode driver and how it handles objects in memory. Successful exploitation of this vulnerability could allow an attacker that is logged in as a local user to run arbitrary code in kernel mode. Doing so would allow the attacker to embedded malware deep in the system or modify and disable various security settings on a system. This flaw is present in all newer versions of Windows, including Windows 7 32-bit, Windows 10 64-bit, and Windows Server 2019.
2. Another EoP vulnerability (CVE-2020-1135) in the Windows Graphics Component exploits a use-after-free condition in the Windows kernel driver. Again, this would allow an attacker who is logged in to execute arbitrary code with the highest privileges and, as an example, install a rootkit malware.
3. There was also a vulnerability in the Microsoft Color Management that could lead to Remote Code Execution (RCE) (CVE-2020-1117). An attacker could trick a user to visit a specially prepared web site by sending a link through email or instant messenger. The website can then exploit the vulnerability to install malware without requiring the user to deliberately download anything – a classic drive-by download exploit like we have seen many in exploit-kits in the past.
4. There was also a vulnerability found in the Windows Remote Access Common Dialog (CVE-2020-1071). It is an Elevation Of Privilege (EoP) vulnerability, but this time the attacker needs physical access to the computer in order to boot it from the login screen. Exploiting this bug gives the attacker privileged code execution and, for example, enables a system command prompt that can lead to full system access. This could happen on computers used as kiosk stations in hotels and airports where physical access is given.
5. The Microsoft Windows Transport Layer Security (TLS) also has a vulnerability that got patched (CVE-2020-1118). This vulnerability could lead to a Denial of Service (DoS) condition. A remote, unauthenticated user can exploit a weakness in the TLS handshake by sending a maliciously crafted client key exchange message. Successful exploitation causes the lsass.exe process to terminate and therefore the system to stop responding and then reboot. This bug affected both clients and TLS servers for TLS version 1.2 and lower. An attacker will not be able to decrypt the traffic, but crashing a system can lead to unwanted states and a lot of work for the support team.

Given the continuous, monthly growth of potential exploits, it is vital to check all your deployed systems for vulnerabilities and apply patches as quickly as possible where possible.

Acronis Cyber Protect Cloud, which is available as part of the Acronis Cyber Cloud service provider platform, delivers top-level vulnerability assessments and patch management functionality that provides a number of useful, unique features due to its close integration between exceptional cybersecurity and an award-winning backup solution.