阅读: 0

微软于本周二发布了5月安全更新补丁,修复了111个从简单的欺骗攻击到远程执行代码的安全问题,产品涉及.NET Core、.NET Framework、Active Directory、Common Log File System Driver、Internet Explorer、Microsoft Dynamics、Microsoft Edge、Microsoft Graphics Component、Microsoft JET Database Engine、Microsoft Office、Microsoft Office SharePoint、Microsoft Scripting Engine、Microsoft Windows、Power BI、Visual Studio、Windows Hyper-V、Windows Kernel、Windows Scripting、Windows Subsystem for Linux、Windows Task Scheduler以及Windows Update Stack。

https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-May

Critical漏洞概述

本次微软共修复了15个Critical级别漏洞,下面重点介绍其中的 5个:

  • CVE-2020-1023,  CVE-2020-1024, CVE-2020-1069和 CVE-2020–1102

这些是微软SharePoint中的远程代码执行漏洞。攻击者可以利用这些漏洞中的任何一个来获得在受害机器或服务器上执行任意代码的能力,具体取决于特定的错误。对于CVE-2020-1069,攻击者需要上传一个特别制作的包到SharePoint服务器,以成功利用这个漏洞。剩下的部分需要用户打开一个特别制作的SharePoint文件。

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1023

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1024

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1069

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1102

  • CVE-2020-1062

这是Internet Explorer web浏览器中的一个内存损坏漏洞。当用户访问一个特别设计的、由攻击者控制的web页面时,可能会触发此漏洞。攻击者可以使用一种方式构造页面,这种方式会破坏目标机器上的内存,从而允许它们在当前用户的上下文中执行任意代码。微软的更新解决了浏览器在内存中处理对象的方式。

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1062

本次更新概括

产品CVE
编号
CVE 标题严重程度
Microsoft Graphics ComponentCVE-2020-1117Microsoft Color Management 远程代码执行漏洞Critical
Microsoft Graphics ComponentCVE-2020-1153Microsoft Graphics Components 远程代码执行漏洞Critical
Microsoft Office SharePointCVE-2020-1023Microsoft SharePoint 远程代码执行漏洞Critical
Microsoft Office SharePointCVE-2020-1024Microsoft SharePoint 远程代码执行漏洞Critical
Microsoft Office SharePointCVE-2020-1069Microsoft SharePoint Server 远程代码执行漏洞Critical
Microsoft Office SharePointCVE-2020-1102Microsoft SharePoint 远程代码执行漏洞Critical
Microsoft Scripting EngineCVE-2020-1065Scripting Engine 内存破坏漏洞Critical
Microsoft WindowsCVE-2020-1028Media Foundation 内存破坏漏洞Critical
Microsoft WindowsCVE-2020-1126Media Foundation 内存破坏漏洞Critical
Microsoft WindowsCVE-2020-1136Media Foundation 内存破坏漏洞Critical
Visual StudioCVE-2020-1192Visual Studio Code Python Extension 远程代码执行漏洞Critical
Internet ExplorerCVE-2020-1064MSHTML Engine 远程代码执行漏洞Critical
Internet ExplorerCVE-2020-1093VBScript 远程代码执行漏洞Critical
Microsoft EdgeCVE-2020-1056Microsoft Edge 特权提升漏洞Critical
Internet ExplorerCVE-2020-1062Internet Explorer 内存破坏漏洞Critical
.NET CoreCVE-2020-1108.NET Core & .NET Framework 拒绝服务漏洞Important
.NET CoreCVE-2020-1161ASP.NET Core 拒绝服务漏洞Important
.NET FrameworkCVE-2020-1066.NET Framework 特权提升漏洞Important
Active DirectoryCVE-2020-1055Microsoft Active Directory Federation Services 跨站脚本漏洞Important
Common Log File System DriverCVE-2020-1154Windows Common Log File System Driver 特权提升漏洞Important
Microsoft DynamicsCVE-2020-1063Microsoft Dynamics 365 (On-Premise) Cross Site Scripting VulnerabilityImportant
Microsoft EdgeCVE-2020-1059Microsoft Edge 欺骗漏洞Important
Microsoft EdgeCVE-2020-1096Microsoft Edge PDF 远程代码执行漏洞Important
Microsoft Graphics ComponentCVE-2020-0963Windows GDI 信息泄露漏洞Important
Microsoft Graphics ComponentCVE-2020-1054Win32k 特权提升漏洞Important
Microsoft Graphics ComponentCVE-2020-1135Windows Graphics Component 特权提升漏洞Important
Microsoft Graphics ComponentCVE-2020-1140DirectX 特权提升漏洞Important
Microsoft Graphics ComponentCVE-2020-1179Windows GDI 信息泄露漏洞Important
Microsoft Graphics ComponentCVE-2020-1141Windows GDI 信息泄露漏洞Important
Microsoft Graphics ComponentCVE-2020-1142Windows GDI 特权提升漏洞Important
Microsoft Graphics ComponentCVE-2020-1145Windows GDI 信息泄露漏洞Important
Microsoft JET Database EngineCVE-2020-1175Jet Database Engine 远程代码执行漏洞Important
Microsoft JET Database EngineCVE-2020-1051Jet Database Engine 远程代码执行漏洞Important
Microsoft JET Database EngineCVE-2020-1174Jet Database Engine 远程代码执行漏洞Important
Microsoft JET Database EngineCVE-2020-1176Jet Database Engine 远程代码执行漏洞Important
Microsoft OfficeCVE-2020-0901Microsoft Excel 远程代码执行漏洞Important
Microsoft Office SharePointCVE-2020-1099Microsoft Office SharePoint XSS VulnerabilityImportant
Microsoft Office SharePointCVE-2020-1101Microsoft Office SharePoint XSS VulnerabilityImportant
Microsoft Office SharePointCVE-2020-1107Microsoft SharePoint 欺骗漏洞Important
Microsoft Office SharePointCVE-2020-1100Microsoft Office SharePoint XSS VulnerabilityImportant
Microsoft Office SharePointCVE-2020-1103Microsoft SharePoint 信息泄露漏洞Important
Microsoft Office SharePointCVE-2020-1104Microsoft SharePoint 欺骗漏洞Important
Microsoft Office SharePointCVE-2020-1105Microsoft SharePoint 欺骗漏洞Important
Microsoft Office SharePointCVE-2020-1106Microsoft Office SharePoint XSS VulnerabilityImportant
Microsoft WindowsCVE-2020-1021Windows Error Reporting 特权提升漏洞Important
Microsoft WindowsCVE-2020-1010Microsoft Windows 特权提升漏洞Important
Microsoft WindowsCVE-2020-1048Windows Print Spooler 特权提升漏洞Important
Microsoft WindowsCVE-2020-1071Windows Remote Access Common Dialog 特权提升漏洞Important
Microsoft WindowsCVE-2020-1076Windows 拒绝服务漏洞Important
Microsoft WindowsCVE-2020-1078Windows Installer 特权提升漏洞Important
Microsoft WindowsCVE-2020-1084Connected User Experiences and Telemetry Service 拒绝服务漏洞Important
Microsoft WindowsCVE-2020-1116Windows CSRSS 信息泄露漏洞Important
Microsoft WindowsCVE-2020-1118Microsoft Windows Transport Layer Security 拒绝服务漏洞Important
Microsoft WindowsCVE-2020-1124Windows State Repository Service 特权提升漏洞Important
Microsoft WindowsCVE-2020-1134Windows State Repository Service 特权提升漏洞Important
Microsoft WindowsCVE-2020-1137Windows Push Notification Service 特权提升漏洞Important
Microsoft WindowsCVE-2020-1138Windows Storage Service 特权提升漏洞Important
Microsoft WindowsCVE-2020-1143Win32k 特权提升漏洞Important
Microsoft WindowsCVE-2020-1144Windows State Repository Service 特权提升漏洞Important
Microsoft WindowsCVE-2020-1149Windows Runtime 特权提升漏洞Important
Microsoft WindowsCVE-2020-1150Media Foundation 内存破坏漏洞Important
Microsoft WindowsCVE-2020-1151Windows Runtime 特权提升漏洞Important
Microsoft WindowsCVE-2020-1155Windows Runtime 特权提升漏洞Important
Microsoft WindowsCVE-2020-1156Windows Runtime 特权提升漏洞Important
Microsoft WindowsCVE-2020-1157Windows Runtime 特权提升漏洞Important
Microsoft WindowsCVE-2020-1158Windows Runtime 特权提升漏洞Important
Microsoft WindowsCVE-2020-1186Windows State Repository Service 特权提升漏洞Important
Microsoft WindowsCVE-2020-1189Windows State Repository Service 特权提升漏洞Important
Microsoft WindowsCVE-2020-1190Windows State Repository Service 特权提升漏洞Important
Microsoft WindowsCVE-2020-1067Windows 远程代码执行漏洞Important
Microsoft WindowsCVE-2020-1068Microsoft Windows 特权提升漏洞Important
Microsoft WindowsCVE-2020-1070Windows Print Spooler 特权提升漏洞Important
Microsoft WindowsCVE-2020-1072Windows Kernel 信息泄露漏洞Important
Microsoft WindowsCVE-2020-1077Windows Runtime 特权提升漏洞Important
Microsoft WindowsCVE-2020-1079Microsoft Windows 特权提升漏洞Important
Microsoft WindowsCVE-2020-1081Windows Printer Service 特权提升漏洞Important
Microsoft WindowsCVE-2020-1082Windows Error Reporting 特权提升漏洞Important
Microsoft WindowsCVE-2020-1086Windows Runtime 特权提升漏洞Important
Microsoft WindowsCVE-2020-1088Windows Error Reporting 特权提升漏洞Important
Microsoft WindowsCVE-2020-1090Windows Runtime 特权提升漏洞Important
Microsoft WindowsCVE-2020-1111Windows Clipboard Service 特权提升漏洞Important
Microsoft WindowsCVE-2020-1112Windows Background Intelligent Transfer Service 特权提升漏洞Important
Microsoft WindowsCVE-2020-1121Windows Clipboard Service 特权提升漏洞Important
Microsoft WindowsCVE-2020-1123Connected User Experiences and Telemetry Service 拒绝服务漏洞Important
Microsoft WindowsCVE-2020-1125Windows Runtime 特权提升漏洞Important
Microsoft WindowsCVE-2020-1131Windows State Repository Service 特权提升漏洞Important
Microsoft WindowsCVE-2020-1132Windows Error Reporting Manager 特权提升漏洞Important
Microsoft WindowsCVE-2020-1139Windows Runtime 特权提升漏洞Important
Microsoft WindowsCVE-2020-1164Windows Runtime 特权提升漏洞Important
Microsoft WindowsCVE-2020-1165Windows Clipboard Service 特权提升漏洞Important
Microsoft WindowsCVE-2020-1166Windows Clipboard Service 特权提升漏洞Important
Microsoft WindowsCVE-2020-1184Windows State Repository Service 特权提升漏洞Important
Microsoft WindowsCVE-2020-1185Windows State Repository Service 特权提升漏洞Important
Microsoft WindowsCVE-2020-1187Windows State Repository Service 特权提升漏洞Important
Microsoft WindowsCVE-2020-1188Windows State Repository Service 特权提升漏洞Important
Microsoft WindowsCVE-2020-1191Windows State Repository Service 特权提升漏洞Important
Power BICVE-2020-1173Microsoft Power BI Report Server 欺骗漏洞Important
Visual StudioCVE-2020-1171Visual Studio Code Python Extension 远程代码执行漏洞Important
Windows Hyper-VCVE-2020-0909Windows Hyper-V 拒绝服务漏洞Important
Windows KernelCVE-2020-1114Windows Kernel 特权提升漏洞Important
Windows KernelCVE-2020-1087Windows Kernel 特权提升漏洞Important
Windows ScriptingCVE-2020-1061Microsoft Script Runtime 远程代码执行漏洞Important
Windows Subsystem for LinuxCVE-2020-1075Windows Subsystem for Linux 信息泄露漏洞Important
Windows Task SchedulerCVE-2020-1113Windows Task Scheduler 安全功能绕过漏洞Important
Windows Update StackCVE-2020-1110Windows Update Stack 特权提升漏洞Important
Windows Update StackCVE-2020-1109Windows Update Stack 特权提升漏洞Important
Internet ExplorerCVE-2020-1092Internet Explorer 内存破坏漏洞Low
Microsoft Scripting EngineCVE-2020-1035VBScript 远程代码执行漏洞Low
Microsoft Scripting EngineCVE-2020-1058VBScript 远程代码执行漏洞Low
Microsoft Scripting EngineCVE-2020-1060VBScript 远程代码执行漏洞Low
Microsoft Scripting EngineCVE-2020-1037Chakra Scripting Engine 内存破坏漏洞Moderate

微软官方已经发布更新补丁,请及时进行补丁更新。