Welcome back to this week's security bulletin!
Microsoft has released June 2020 security updates that patch 129 vulnerabilities that affect different versions of Microsoft products and Windows operating systems. It includes 11 critical vulnerabilities that allow remote code execution attacks and 128 classifies as essential, mostly lead to spoofing attacks and privilege escalation.
The security flaws include information disclosure vulnerability (CVE-2020-1206) in server message block 3.1.1, which can be exploited to perform remote code execution. The VBScript engine's way of handling objects in memory was affected by three critical bugs (CVE-2020-1213, CVE-2020-1216, and CVE-2020-1260).
One of the eleven critical issues exploits a vulnerability (CVE-2020-1299) in how Windows handles Shortcut (.LNK) files, allowing attackers to execute arbitrary code on the targeted systems remotely. Like all previous LNK vulnerabilities, this type of attack could also lead to victims losing control over their computers or having their sensitive data stolen.
Besides these, the security update also mitigates a vulnerability (CVE-2020-9633) affecting Adobe Flash Player for Windows systems. So we would like to suggest that all users apply these latest updates to respective products.
Amazon S3 (Simple Storage Service), a cloud storage solution, has gained popularity due to it's simple, scalable, high-speed architecture, and it's also cheap. We can retrieve and store any amount of data, at any time, from anywhere on the web. The data is stored as objects in S3 buckets, and we can configure privacy policies to restrict public access. Here comes the role of hackers!
Researchers found that a hacking group exploited misconfigured S3 buckets to insert malicious code into websites for malvertising campaigns and gain credit card information. The cybersecurity firm that identified the issue said that "Misconfigured S3 buckets that allow malicious actors to insert their code into numerous websites is an ongoing issue".
In order to mitigate the issue, S3 buckets need to be configured with the right level of permission by using an access control list (ACL) with bucket policies.