微软于本周二发布了5月安全更新补丁,修复了111个从简单的欺骗攻击到远程执行代码的安全问题,产品涉及.NET Core、.NET Framework、Active Directory、Common Log File System Driver、Internet Explorer、Microsoft Dynamics、Microsoft Edge、Microsoft Graphics Component、Microsoft JET Database Engine、Microsoft Office、Microsoft Office SharePoint、Microsoft Scripting Engine、Microsoft Windows、Power BI、Visual Studio、Windows Hyper-V、Windows Kernel、Windows Scripting、Windows Subsystem for Linux、Windows Task Scheduler以及Windows Update Stack。
https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-May
Critical漏洞概述
本次微软共修复了15个Critical级别漏洞,下面重点介绍其中的 5个:
- CVE-2020-1023, CVE-2020-1024, CVE-2020-1069和 CVE-2020–1102
这些是微软SharePoint中的远程代码执行漏洞。攻击者可以利用这些漏洞中的任何一个来获得在受害机器或服务器上执行任意代码的能力,具体取决于特定的错误。对于CVE-2020-1069,攻击者需要上传一个特别制作的包到SharePoint服务器,以成功利用这个漏洞。剩下的部分需要用户打开一个特别制作的SharePoint文件。
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1023
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1024
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1069
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1102
- CVE-2020-1062
这是Internet Explorer web浏览器中的一个内存损坏漏洞。当用户访问一个特别设计的、由攻击者控制的web页面时,可能会触发此漏洞。攻击者可以使用一种方式构造页面,这种方式会破坏目标机器上的内存,从而允许它们在当前用户的上下文中执行任意代码。微软的更新解决了浏览器在内存中处理对象的方式。
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1062
本次更新概括
| 产品 | CVE 编号 | CVE 标题 | 严重程度 |
| Microsoft Graphics Component | CVE-2020-1117 | Microsoft Color Management 远程代码执行漏洞 | Critical |
| Microsoft Graphics Component | CVE-2020-1153 | Microsoft Graphics Components 远程代码执行漏洞 | Critical |
| Microsoft Office SharePoint | CVE-2020-1023 | Microsoft SharePoint 远程代码执行漏洞 | Critical |
| Microsoft Office SharePoint | CVE-2020-1024 | Microsoft SharePoint 远程代码执行漏洞 | Critical |
| Microsoft Office SharePoint | CVE-2020-1069 | Microsoft SharePoint Server 远程代码执行漏洞 | Critical |
| Microsoft Office SharePoint | CVE-2020-1102 | Microsoft SharePoint 远程代码执行漏洞 | Critical |
| Microsoft Scripting Engine | CVE-2020-1065 | Scripting Engine 内存破坏漏洞 | Critical |
| Microsoft Windows | CVE-2020-1028 | Media Foundation 内存破坏漏洞 | Critical |
| Microsoft Windows | CVE-2020-1126 | Media Foundation 内存破坏漏洞 | Critical |
| Microsoft Windows | CVE-2020-1136 | Media Foundation 内存破坏漏洞 | Critical |
| Visual Studio | CVE-2020-1192 | Visual Studio Code Python Extension 远程代码执行漏洞 | Critical |
| Internet Explorer | CVE-2020-1064 | MSHTML Engine 远程代码执行漏洞 | Critical |
| Internet Explorer | CVE-2020-1093 | VBScript 远程代码执行漏洞 | Critical |
| Microsoft Edge | CVE-2020-1056 | Microsoft Edge 特权提升漏洞 | Critical |
| Internet Explorer | CVE-2020-1062 | Internet Explorer 内存破坏漏洞 | Critical |
| .NET Core | CVE-2020-1108 | .NET Core & .NET Framework 拒绝服务漏洞 | Important |
| .NET Core | CVE-2020-1161 | ASP.NET Core 拒绝服务漏洞 | Important |
| .NET Framework | CVE-2020-1066 | .NET Framework 特权提升漏洞 | Important |
| Active Directory | CVE-2020-1055 | Microsoft Active Directory Federation Services 跨站脚本漏洞 | Important |
| Common Log File System Driver | CVE-2020-1154 | Windows Common Log File System Driver 特权提升漏洞 | Important |
| Microsoft Dynamics | CVE-2020-1063 | Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability | Important |
| Microsoft Edge | CVE-2020-1059 | Microsoft Edge 欺骗漏洞 | Important |
| Microsoft Edge | CVE-2020-1096 | Microsoft Edge PDF 远程代码执行漏洞 | Important |
| Microsoft Graphics Component | CVE-2020-0963 | Windows GDI 信息泄露漏洞 | Important |
| Microsoft Graphics Component | CVE-2020-1054 | Win32k 特权提升漏洞 | Important |
| Microsoft Graphics Component | CVE-2020-1135 | Windows Graphics Component 特权提升漏洞 | Important |
| Microsoft Graphics Component | CVE-2020-1140 | DirectX 特权提升漏洞 | Important |
| Microsoft Graphics Component | CVE-2020-1179 | Windows GDI 信息泄露漏洞 | Important |
| Microsoft Graphics Component | CVE-2020-1141 | Windows GDI 信息泄露漏洞 | Important |
| Microsoft Graphics Component | CVE-2020-1142 | Windows GDI 特权提升漏洞 | Important |
| Microsoft Graphics Component | CVE-2020-1145 | Windows GDI 信息泄露漏洞 | Important |
| Microsoft JET Database Engine | CVE-2020-1175 | Jet Database Engine 远程代码执行漏洞 | Important |
| Microsoft JET Database Engine | CVE-2020-1051 | Jet Database Engine 远程代码执行漏洞 | Important |
| Microsoft JET Database Engine | CVE-2020-1174 | Jet Database Engine 远程代码执行漏洞 | Important |
| Microsoft JET Database Engine | CVE-2020-1176 | Jet Database Engine 远程代码执行漏洞 | Important |
| Microsoft Office | CVE-2020-0901 | Microsoft Excel 远程代码执行漏洞 | Important |
| Microsoft Office SharePoint | CVE-2020-1099 | Microsoft Office SharePoint XSS Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-1101 | Microsoft Office SharePoint XSS Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-1107 | Microsoft SharePoint 欺骗漏洞 | Important |
| Microsoft Office SharePoint | CVE-2020-1100 | Microsoft Office SharePoint XSS Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-1103 | Microsoft SharePoint 信息泄露漏洞 | Important |
| Microsoft Office SharePoint | CVE-2020-1104 | Microsoft SharePoint 欺骗漏洞 | Important |
| Microsoft Office SharePoint | CVE-2020-1105 | Microsoft SharePoint 欺骗漏洞 | Important |
| Microsoft Office SharePoint | CVE-2020-1106 | Microsoft Office SharePoint XSS Vulnerability | Important |
| Microsoft Windows | CVE-2020-1021 | Windows Error Reporting 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1010 | Microsoft Windows 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1048 | Windows Print Spooler 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1071 | Windows Remote Access Common Dialog 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1076 | Windows 拒绝服务漏洞 | Important |
| Microsoft Windows | CVE-2020-1078 | Windows Installer 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1084 | Connected User Experiences and Telemetry Service 拒绝服务漏洞 | Important |
| Microsoft Windows | CVE-2020-1116 | Windows CSRSS 信息泄露漏洞 | Important |
| Microsoft Windows | CVE-2020-1118 | Microsoft Windows Transport Layer Security 拒绝服务漏洞 | Important |
| Microsoft Windows | CVE-2020-1124 | Windows State Repository Service 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1134 | Windows State Repository Service 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1137 | Windows Push Notification Service 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1138 | Windows Storage Service 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1143 | Win32k 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1144 | Windows State Repository Service 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1149 | Windows Runtime 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1150 | Media Foundation 内存破坏漏洞 | Important |
| Microsoft Windows | CVE-2020-1151 | Windows Runtime 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1155 | Windows Runtime 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1156 | Windows Runtime 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1157 | Windows Runtime 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1158 | Windows Runtime 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1186 | Windows State Repository Service 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1189 | Windows State Repository Service 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1190 | Windows State Repository Service 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1067 | Windows 远程代码执行漏洞 | Important |
| Microsoft Windows | CVE-2020-1068 | Microsoft Windows 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1070 | Windows Print Spooler 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1072 | Windows Kernel 信息泄露漏洞 | Important |
| Microsoft Windows | CVE-2020-1077 | Windows Runtime 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1079 | Microsoft Windows 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1081 | Windows Printer Service 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1082 | Windows Error Reporting 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1086 | Windows Runtime 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1088 | Windows Error Reporting 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1090 | Windows Runtime 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1111 | Windows Clipboard Service 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1112 | Windows Background Intelligent Transfer Service 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1121 | Windows Clipboard Service 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1123 | Connected User Experiences and Telemetry Service 拒绝服务漏洞 | Important |
| Microsoft Windows | CVE-2020-1125 | Windows Runtime 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1131 | Windows State Repository Service 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1132 | Windows Error Reporting Manager 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1139 | Windows Runtime 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1164 | Windows Runtime 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1165 | Windows Clipboard Service 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1166 | Windows Clipboard Service 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1184 | Windows State Repository Service 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1185 | Windows State Repository Service 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1187 | Windows State Repository Service 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1188 | Windows State Repository Service 特权提升漏洞 | Important |
| Microsoft Windows | CVE-2020-1191 | Windows State Repository Service 特权提升漏洞 | Important |
| Power BI | CVE-2020-1173 | Microsoft Power BI Report Server 欺骗漏洞 | Important |
| Visual Studio | CVE-2020-1171 | Visual Studio Code Python Extension 远程代码执行漏洞 | Important |
| Windows Hyper-V | CVE-2020-0909 | Windows Hyper-V 拒绝服务漏洞 | Important |
| Windows Kernel | CVE-2020-1114 | Windows Kernel 特权提升漏洞 | Important |
| Windows Kernel | CVE-2020-1087 | Windows Kernel 特权提升漏洞 | Important |
| Windows Scripting | CVE-2020-1061 | Microsoft Script Runtime 远程代码执行漏洞 | Important |
| Windows Subsystem for Linux | CVE-2020-1075 | Windows Subsystem for Linux 信息泄露漏洞 | Important |
| Windows Task Scheduler | CVE-2020-1113 | Windows Task Scheduler 安全功能绕过漏洞 | Important |
| Windows Update Stack | CVE-2020-1110 | Windows Update Stack 特权提升漏洞 | Important |
| Windows Update Stack | CVE-2020-1109 | Windows Update Stack 特权提升漏洞 | Important |
| Internet Explorer | CVE-2020-1092 | Internet Explorer 内存破坏漏洞 | Low |
| Microsoft Scripting Engine | CVE-2020-1035 | VBScript 远程代码执行漏洞 | Low |
| Microsoft Scripting Engine | CVE-2020-1058 | VBScript 远程代码执行漏洞 | Low |
| Microsoft Scripting Engine | CVE-2020-1060 | VBScript 远程代码执行漏洞 | Low |
| Microsoft Scripting Engine | CVE-2020-1037 | Chakra Scripting Engine 内存破坏漏洞 | Moderate |
微软官方已经发布更新补丁,请及时进行补丁更新。