May Patch Tuesday Has Arrived

Microsoft have released 111 patches today, the third largest release of 2020. So far this year, there have been 487 patches released and we are only in May.

There are 16 Critical patches with the remaining 95 marked Important. Support for Windows 7 and Windows Server 2008 (including R2) was officially ended after January, but there are plenty of updates released this month for customers who have purchased an extension agreement.

Robert Brown, Director of Services for Syxsense said, “For the previous 4 months, we have had on average over 100 updates each month – that is almost 2GB per device per month. Now is the time to start building a patching strategy which does not depend on VPN or patching in line of sight of your servers. Users who are now working from home remain more vulnerable than they have ever been.”

Patches of Interest

1. CVE-2020-1126: This vulnerability is a buffer overflow advisory which impacts both Windows 7, 8.1, 10 and the Server 2012. Successful exploitation of this vulnerability may result in complete compromise of vulnerable system, although there are no known exploits at the moment but the vulnerability can be exploited by a non-authenticated user remotely via the internet.
2. CVE-2020-1117: This vulnerability is incredibly dangerous for users who have more than Power User rights, as convincing the user to run a malicious link will expose that system and the attacker can have free access to the system. This can include the installation of ransomware or the infection of other systems on the network.
3. CVE-2020-1118: Although this has a severity of Important not Critical, this carries a CVSS score of 8.6 (one of the highest of this release). Without a countermeasure for this vulnerability, an attacker can install ransomware, steal data or even trigger a continuous shutdown loop which could cause countless problems for any company.