“Patch Tuesday” this month became the largest in the history of Microsoft: were fixed at once 129 vulnerabilities. March 2020 with 115 corrections is in second place, and 113 corrections in April 2020 arein a third place.
100 absolutely “ridiculous” Microsoft patches were presented in February “Patch Tuesday”, but among them was the sensational 0-day vulnerability in Internet Explorer, which actively used attackers.
Overall, the total number of corrections issued by the company this year accounts 616, and this is almost the same as for the entire 2017.
“This time there were no 0-day vulnerabilities, which means that any of the fixed bugs was under attack”, – said Microsoft engineers.
Of all 129 vulnerabilities, only 11 received critical status (they affect Windows itself, the Edge and Internet Explorer browsers, as well as SharePoint).
Another 109 problems are rated as important (they affected Windows, company’s browsers, Office, Windows Defender, Dynamics, Visual Studio, Azure DevOps and Android applications).
The most serious problems this month include:
- CVE-2020-1181 – remote code execution in Microsoft SharePoint
- CVE-2020-1225, CVE-2020-1226 – remote code execution in Microsoft Excel
- CVE-2020-1223 – remote code execution in Word for Android
- CVE-2020-1248 – remote code execution in the Windows Graphics Device Interface (GDI)
- CVE-2020-1281 – remote code execution in Windows OLE
- CVE-2020-1299 – remote code execution when processing .LNK files
- CVE-2020-1300 – remote code execution in the print spooler component
- CVE-2020-1301 – remote code execution in Windows SMB
- CVE-2020-1213, CVE-2020-1214, CVE-2020-1215, CVE-2020-1216, CVE-2020-1230, CVE-2020-1260 – remote code execution in the VBScript engine
However, not only Microsoft has prepared patches for their products this week. So, the Adobe developers also fixed a number of serious problems in the Flash Player, Framemaker and Experience Manager.
SAP developers released 17 security bulletins and prepared patches for Apache Tomcat (CVE-2020-1938), two bugs in SAP Commerce (CVE-2020-6265, CVE-2020-6264), vulnerabilities in SAP Success Factors (CVE-2020- 6279) as well as issues in NetWeaver (CVE-2020-6275).
Intel has fixed more than 20 different vulnerabilities, including bugs in the Innovation Engine (CVE-2020-8675) and Special Register Buffer (CVE-2020-0543). The latter problem is called CrossTalk, and it allows you to “merge” confidential data from SGX enclaves.