Microsoft has released its security updates for the month of May. SharePoint wins again the first place of the most vulnerable application, with four critical flaws. In all, 111 breaches were corrected.
For the third time in a row, Microsoft fixed more than 100 flaws for its May patch. The publisher has indeed resolved 111 security issues across its entire product line: Windows, Edge, ChakraCore, Internet Explorer, Office, Windows Defender, Dynamics, etc. If no vulnerability seems to have been exploited, according to Microsoft, 16 are considered critical, and 96 important.
The majority of these fixes address significant Elevation of Privilege (EoP) issues. 56 are counted in the May update, mostly on various Windows components. Exploitation of three of these bugs is “more likely”: two in Win32k (CVE-2020-1054, CVE-2020-1143) and one in the Windows graphics component (CVE-2020-1135). By exploiting these vulnerabilities, an attacker could execute arbitrary code in kernel mode and install programs, view, modify or delete data, or create new accounts with user rights.
Sharepoint still unstable
For another critical flaw, head to Edge (CVE-2020-1056). Microsoft’s browser does not properly enforce cross-domain policies, which could allow an attacker to access information from one domain and inject it into another domain, according to the publisher. However, this type of attack involves having an interaction with the user, for example with a system by encouraging him to click on a link that takes him to the attacker’s site.
SharePoint, the publisher’s collaboration tool from Redmond, continues to be the most problematic with no less than four critical issues to its credit in May. The CVE-2020-1023 and CVE-2020-1102 flaws would allow attackers to gain access to a system and read or delete content, make changes, or directly execute code on the system. Exploiting the CVE-202-1024 flaw would make it possible to execute arbitrary code from the SharePoint application pool and a SharePoint farm account, which could have an impact on all users using the platform.