[German]There are a number of critical vulnerabilities in Windows 8.1 through Windows 10 and the corresponding server versions for which updates are available since June 9, 2020. German Federal Office for Information Security (BSI) has now issued a security advisory that warns against the exploitation of various vulnerabilities. Also Hitachi has published a security advisory Administrators should patch.
Advertising
In a warning CB-K20/0561 Update 2 German Federal Office for Information Security (BSI) points out numerous vulnerabilities in Windows. Also Hitachi Japan has listed these CVEs in a Security information for Hitachi Disk Array Systems advisory:
CVE-2020-9633 | June 2020 Adobe Flash Security Update
CVE-2020-0915 | Windows GDI Elevation of Privilege Vulnerability
CVE-2020-0916 | Windows GDI Elevation of Privilege Vulnerability
CVE-2020-0986 | Windows Kernel Elevation of Privilege Vulnerability
CVE-2020-1073 | Scripting Engine Memory Corruption Vulnerability
CVE-2020-1160 | Microsoft Graphics Component Information Disclosure Vulnerability
CVE-2020-1162 | Windows Elevation of Privilege Vulnerability
CVE-2020-1163 | Microsoft Windows Defender Elevation of Privilege Vulnerability
CVE-2020-1170 | Microsoft Windows Defender Elevation of Privilege Vulnerability
CVE-2020-1194 | Windows Registry Denial of Service Vulnerability
CVE-2020-1196 | Windows Print Configuration Elevation of Privilege Vulnerability
CVE-2020-1197 | Windows Error Reporting Manager Elevation of Privilege Vulnerability
CVE-2020-1199 | Windows Feedback Hub Elevation of Privilege Vulnerability
CVE-2020-1201 | Windows Now Playing Session Manager Elevation of Privilege Vulnerability
CVE-2020-1202 | Diagnostic Hub Standard Collector Elevation of Privilege Vulnerability
CVE-2020-1203 | Diagnostic Hub Standard Collector Elevation of Privilege Vulnerability
CVE-2020-1204 | Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability
CVE-2020-1207 | Win32k Elevation of Privilege Vulnerability
CVE-2020-1208 | Jet Database Engine Remote Code Execution Vulnerability
CVE-2020-1211 | Connected Devices Platform Service Elevation of Privilege Vulnerability
CVE-2020-1212 | OLE Automation Elevation of Privilege Vulnerability
CVE-2020-1213 | VBScript Remote Code Execution Vulnerability
CVE-2020-1214 | VBScript Remote Code Execution Vulnerability
CVE-2020-1215 | VBScript Remote Code Execution Vulnerability
CVE-2020-1216 | VBScript Remote Code Execution Vulnerability
CVE-2020-1217 | Windows Runtime Information Disclosure Vulnerability
CVE-2020-1219 | Microsoft Browser Memory Corruption Vulnerability
CVE-2020-1220 | Microsoft Edge (Chromium-based) in IE Mode Spoofing Vulnerability
CVE-2020-1222 | Microsoft Store Runtime Elevation of Privilege Vulnerability
CVE-2020-1230 | VBScript Remote Code Execution Vulnerability
CVE-2020-1231 | Windows Runtime Elevation of Privilege Vulnerability
CVE-2020-1232 | Media Foundation Information Disclosure Vulnerability
CVE-2020-1233 | Windows Runtime Elevation of Privilege Vulnerability
CVE-2020-1234 | Windows Error Reporting Elevation of Privilege Vulnerability
CVE-2020-1235 | Windows Runtime Elevation of Privilege Vulnerability
CVE-2020-1236 | Jet Database Engine Remote Code Execution Vulnerability
CVE-2020-1237 | Windows Kernel Elevation of Privilege Vulnerability
CVE-2020-1238 | Media Foundation Memory Corruption Vulnerability
CVE-2020-1239 | Media Foundation Memory Corruption Vulnerability
CVE-2020-1241 | Windows Kernel Security Feature Bypass Vulnerability
CVE-2020-1242 | Microsoft Edge Information Disclosure Vulnerability
CVE-2020-1244 | Connected User Experiences and Telemetry Service Denial of Service Vulnerability
CVE-2020-1246 | Windows Kernel Elevation of Privilege Vulnerability
CVE-2020-1247 | Win32k Elevation of Privilege Vulnerability
CVE-2020-1251 | Win32k Elevation of Privilege Vulnerability
CVE-2020-1253 | Win32k Elevation of Privilege Vulnerability
CVE-2020-1254 | Windows Modules Installer Service Elevation of Privilege Vulnerability
CVE-2020-1255 | Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability
CVE-2020-1257 | Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability
CVE-2020-1258 | DirectX Elevation of Privilege Vulnerability
CVE-2020-1259 | Windows Host Guardian Service Security Feature Bypass Vulnerability
CVE-2020-1260 | VBScript Remote Code Execution Vulnerability
CVE-2020-1261 | Windows Error Reporting Information Disclosure Vulnerability
CVE-2020-1262 | Windows Kernel Elevation of Privilege Vulnerability
CVE-2020-1263 | Windows Error Reporting Information Disclosure Vulnerability
CVE-2020-1264 | Windows Kernel Elevation of Privilege Vulnerability
CVE-2020-1266 | Windows Kernel Elevation of Privilege Vulnerability
CVE-2020-1269 | Windows Kernel Elevation of Privilege Vulnerability
CVE-2020-1270 | Windows WLAN Service Elevation of Privilege Vulnerability
CVE-2020-1271 | Windows Backup Service Elevation of Privilege Vulnerability
CVE-2020-1272 | Windows Installer Elevation of Privilege Vulnerability
CVE-2020-1274 | Windows Kernel Elevation of Privilege Vulnerability
CVE-2020-1276 | Windows Kernel Elevation of Privilege Vulnerability
CVE-2020-1277 | Windows Installer Elevation of Privilege Vulnerability
CVE-2020-1278 | Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability
CVE-2020-1279 | Windows Lockscreen Elevation of Privilege Vulnerability
CVE-2020-1280 | Windows Bluetooth Service Elevation of Privilege Vulnerability
CVE-2020-1281 | Windows OLE Remote Code Execution Vulnerability
CVE-2020-1282 | Windows Runtime Elevation of Privilege Vulnerability
CVE-2020-1283 | Windows Denial of Service Vulnerability
CVE-2020-1286 | Windows Shell Remote Code Execution Vulnerability
CVE-2020-1287 | Windows Wallet Service Elevation of Privilege Vulnerability
CVE-2020-1290 | Win32k Information Disclosure Vulnerability
CVE-2020-1291 | Windows Network Connections Service Elevation of Privilege Vulnerability
CVE-2020-1292 | OpenSSH for Windows Elevation of Privilege Vulnerability
CVE-2020-1293 | Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability
CVE-2020-1294 | Windows Wallet Service Elevation of Privilege Vulnerability
CVE-2020-1296 | Windows Diagnostics & feedback Information Disclosure Vulnerability
CVE-2020-1299 | LNK Remote Code Execution Vulnerability
CVE-2020-1300 | Windows Remote Code Execution Vulnerability
CVE-2020-1301 | Windows SMB Remote Code Execution Vulnerability
CVE-2020-1302 | Windows Installer Elevation of Privilege Vulnerability
CVE-2020-1304 | Windows Runtime Elevation of Privilege Vulnerability
CVE-2020-1305 | Windows State Repository Service Elevation of Privilege Vulnerability
CVE-2020-1306 | Windows Runtime Elevation of Privilege Vulnerability
CVE-2020-1309 | Microsoft Store Runtime Elevation of Privilege Vulnerability
CVE-2020-1310 | Win32k Elevation of Privilege Vulnerability
CVE-2020-1311 | Component Object Model Elevation of Privilege Vulnerability
CVE-2020-1312 | Windows Installer Elevation of Privilege Vulnerability
CVE-2020-1314 | Windows Text Service Framework Elevation of Privilege Vulnerability
CVE-2020-1315 | Internet Explorer Information Disclosure Vulnerability
CVE-2020-1316 | Windows Kernel Elevation of Privilege Vulnerability
CVE-2020-1317 | Group Policy Elevation of Privilege Vulnerability
CVE-2020-1324 | Windows Elevation of Privilege Vulnerability
CVE-2020-1334 | Windows Runtime Elevation of Privilege Vulnerability
CVE-2020-1348 | Windows GDI Information Disclosure Vulnerability
These vulnerabilities may allow remote code execution (RCE). A remote, anonymous, or authenticated attacker could exploit multiple vulnerabilities in various Microsoft Windows operating systems to perform a denial of service attack, bypass security mechanisms, execute code, view confidential information, or extend privileges.
One of these vulnerabilities (CVE-2020-1206) is the SMBleed vulnerability that I discussed in the blog post Windows 10: SMBleed vulnerability in SMBv3 protocol. The following versions of Windows are affected.
- Microsoft Windows 10,
- Microsoft Windows 8.1,
- Microsoft Windows RT 8.1,
- Microsoft Windows Server,
- Microsoft Windows Server 2012,
- Microsoft Windows Server 2012 R2,
- Microsoft Windows Server 2016,
- Microsoft Windows Server 2019,
- Hitachi Network Attached Storage
Microsoft has closed these vulnerabilities with the security updates of June 9, 2020 (see also this page).
Advertising
