Microsoft patches critical flaw in Windows 10 that allows remote code execution with a single shortcut
Microsoft has broken its own record for releasing CVEs in June’s Patch Tuesday as the software giant has patched 129 vulnerabilities in Windows 10, Office, Microsoft Edge and its other software.
This month’s update includes fixes for a number of security flaws including CVEs for 11 critical remote-code execution vulnerabilities. However, June’s Patch Tuesday did not include any zero-day vulnerabilities that are being actively exploited in the wild.
In a blog post, Dustin C. Childs from Trend Micro’s Zero Day Initiative provided further insight on the sheer number of vulnerabilities addressed by Microsoft in this month’s Patch Tuesday, saying:
“For June, Microsoft released patches for 129 CVEs covering Microsoft Windows, Internet Explorer (IE), Microsoft Edge (EdgeHTML-based and Chromium-based in IE Mode), ChakraCore, Office and Microsoft Office Services and Web Apps, Windows Defender, Microsoft Dynamics, Visual Studio, Azure DevOps, and Microsoft Apps for Android. This is the fourth month in a row that Microsoft has released patches for more than 110 CVEs, and this is the highest number of CVEs ever released by Microsoft in a single month. This brings the total number of Microsoft patches released this year to 616 – just 49 shy of the total number of CVEs they addressed in all of 2017.”
Remote code execution flaws
Of the 129 vulnerabilities patched by Microsoft, CVE-2020-1299 in Windows 10 stands out from the rest as it could allow remote code execution when a .LNK file, which is a shortcut or “link”, is processed.
If an attacker were to embed a malicious shortcut in a removable drive or remote share and convince a user to open it, then the malicious binary will be able to execute code. Successfully exploiting this vulnerability would give an attacker the same user rights as a local user on a system running Windows 10.
Microsoft also patched five remote-code execution flaws in its Active Scripting language VBScript that exist in the way that its engine handles objects in memory. The company explained just what an attacker could do if they successfully exploited these vulnerabilities, saying:
“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative-user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights.”
Via ThreatPost