icetray - Fotolia
May Patch Tuesday brings a bevy of SharePoint fixes
Microsoft delivers corrections for 111 unique vulnerabilities with a significant number aimed at SharePoint, which may signal growing interest from attackers.
Most in IT will find their May patching workload, while still large in number, not as stressful as the previous month. However, SharePoint administrators will find a distressing number of patches available for the collaboration platform.
This month, Microsoft corrected 111 unique vulnerabilities with 16 rated critical. Last month, administrators faced three zero-days and 19 critical vulnerabilities among the 113 vulnerabilities. Most of the bugs identified in the May Patch Tuesday cluster around the usual suspects -- the Windows client and server operating systems and web browsers -- but administrators will want to also focus on SharePoint which gets a total of 12 bug fixes, including four rated critical.
The dramatic uptick in remote workers due to the COVID-19 pandemic has been met with a similar increase in attacks that target these users to find a foothold into an organization's network. It's possible the sudden growth of employees working from home correlates with the sizeable number of SharePoint vulnerabilities corrected this month.
"SharePoint has become a foundation of what drives the Office platform," said Chris Goettl, director of product management and security at Ivanti, a security and IT management vendor based in South Jordan, Utah. "It definitely has increased in popularity and, with that, I would expect that threat actors are going to spend a little bit more attention on it because it's a means for them to get in and try one more way to do that."
Chris GoettlDirector of product management and security, Ivanti
Four of the critical vulnerabilities (CVE-2020-1023, CVE-2020-1024, CVE-2020-1069 and CVE-2020-1102) in SharePoint would give remote-code execution abilities to an attacker, who could then move throughout the network and perform a range of actions, such as access sensitive information in databases, run malicious code or find a way to embed their position. The remaining eight vulnerabilities, rated important, correct spoofing and information disclosure problems.
The unexpected shift to a remote-work setting for many workers coincided with a speedy distribution of laptops that might have sacrificed security for the sake of efficiency, leaving endpoints -- as well as every connected device on the company network -- at risk.
"Zoom obviously had the biggest explosion in popularity, but Microsoft Teams was arguably second in line. One of the things that comes with Teams is the ability to share files collaboratively in meeting sessions or chats or team groups. All that is driven by SharePoint," Goettl said.
In addition to SharePoint, Windows and web browsers, May Patch Tuesday security updates also corrected issues with the ChakraCore JavaScript engine, Microsoft Office and Office Services and Web Apps, Windows Defender, Visual Studio, Microsoft Dynamics, .NET Framework, .NET Core and Power BI products.
The relatively low number of critical vulnerabilities should not minimize the urgency to roll out the updates as quickly as possible. Goettl noted that 10 of the 111 CVEs for May Patch Tuesday have a "1 - Exploitation More Likely" rating in Microsoft's exploitability index, which assigns a 0-3 rating based on analysis the company attaches to each CVE. A vulnerability with the "0 - Exploitation Detected" rating means there are reports of exploits for the flaw, while bugs marked with "3 - Exploitation Unlikely" indicate the slim likelihood of an attacker creating an exploit.
Out of the 10 CVEs rated "Exploitation More Likely" for May Patch Tuesday, seven have a severity level of important which should give some organizations pause when they determine their patch deployment priorities.
"If you look just at vendor severity, many of the zero-days that we've seen over the past couple of years were actually only rated as important. And that's on the day that Microsoft said it knew the CVE was actively exploited, so a lot of times you can't take severity as the only indicator," Goettl said.
Other noteworthy fixes for May Patch Tuesday
A memory corruption vulnerability (CVE-2020-1062) in Internet Explorer, critical for Windows desktop systems, could give an attacker a way to run code in the same context as the afflicted user, then obtain that user's rights. The user would first need to visit a specially crafted website with Internet Explorer.
An elevation-of-privilege vulnerability (CVE-2020-1135) in the Windows Graphics Component, rated important for Windows 10 and Windows Server 2019, has a "1 - Exploitation More Likely" designation by Microsoft. This bug could let an attacker run a specially crafted program to take control of an unpatched system.
Patch-related updates for legacy Windows systems
Organizations that have Windows 7 and Windows Server 2008/2008 R2 systems and paid for the annual subscription to the Extended Security Updates (ESU) program should be aware of several updates related to the ESU multiple activation key (MAK). The MAK registry value allows the legacy systems to continue to receive security patches after those OSes went out of support after Jan. 14.
On May 6, Microsoft updated the licensing preparation package documentation at the following link for administrators who still manage these legacy Windows systems, including the need to reactivate the MAK key in some Windows Server 2008 R2 systems to obtain security updates.
Legacy Windows OSes -- Windows 7 and Server 2008/2008 R2 (including Core versions) -- also received servicing stack updates this month. These come as recommended updates that can be overlooked because they are not part of the cumulative update for each operating system. Administrators will need to perform preventative maintenance and install these servicing stack packages as they become available to avoid problems with future security updates.