in

Microsoft July 2020 Patch Tuesday fixes 123 vulnerabilities

The monthly security updates for Microsoft products — also known as Patch Tuesday — are out for the month of July 2020.

This month, Redmond fixed 123 security flaws across 13 products. None of the security bugs fixed this month have been observed being exploited in the real world.

The most severe bug patched this month is a bug (CVE-2020-1350) in the Windows Server DNS component. Discovered by Check Point researchers, the bug received a 10 out of 10 severity rating, and researchers say the bug can be easily weaponized to create wormable (self-propagating) malware.

See ZDNet’s separate coverage for this bug, codenamed SigRed, here.

Other important bugs patched this month also include remote code vulnerabilities in:

  • The RemoteFX vGPU component of Microsoft’s Hyper-V hypervisor technology (CVE-2020-1041, CVE-2020-1040, CVE-2020-1032, CVE-2020-1036, CVE-2020-1042, CVE-2020-1043)
  • The Jet Database Engine included with some Office applications (CVE-2020-1400, CVE-2020-1401, CVE-2020-1407)
  • Microsoft Word (CVE-2020-1446, CVE-2020-1447, CVE-2020-1448)
  • Microsoft Excel (CVE-2020-1240)
  • Microsoft Outlook (CVE-2020-1349)
  • Microsoft Sharepoint (CVE-2020-1444)
  • Windows LNK shortcut files (CVE-2020-1421)
  • Various Windows graphics components (CVE-2020-1435, CVE-2020-1408, CVE-2020-1412, CVE-2020-1409, CVE-2020-1436, CVE-2020-1355)

These “remote code execution” vulnerabilities are the most severe, as they allow hackers to execute code on a system in remote attack scenarios.

Since Patch Tuesday updates are delivered in monthly blocks, system administrators can’t select which patches to apply and which they don’t. System administrators are advised to review the threat posed by the RCE vulnerabilities listed above and decide the urgency for patching to each of their respetive organizations.

System administrators who manage large fleets of computers — such as those deployed across enterprises and government organizations — are also advised to test today’s updates for any bugs before deploying them to production systems.

Malware authors are known to follow Microsoft’s monthly security updates, select the most useful/dangerous bugs, and patch-diff the security updates packages to find the exact bug Microsoft fixed — so they can weaponize them for upcoming attacks.

Below is some useful information about today’s Patch Tuesday, but also the security updates released by other companies this month, which sysadmins might also need to address as well, besides Microsoft’s batch.

  • Microsoft’s official Security Update Guide portal lists all security updates in a filterable table.
  • ZDNet has published this file listing all this month’s security advisories on one single page.
  • Adobe’s security updates are detailed here.
  • SAP security updates are available here.
  • VMWare security updates are available here.
  • Oracle’s quarterly patches (for Q2 2020, July edition) are available here.
  • Chrome 84 security updates are detailed here.
  • The Android Security Bulletin for July 2020 is detailed here. Patches started rolling out to users’ phones last week.
TagCVE IDCVE Title
Windows IISADV200008Microsoft Guidance for Enabling Request Smuggling Filter on IIS Servers
.NET FrameworkCVE-2020-1147.NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability
Azure DevOpsCVE-2020-1326Azure DevOps Server Cross-site Scripting Vulnerability
Internet ExplorerCVE-2020-1432Skype for Business via Internet Explorer Information Disclosure Vulnerability
Microsoft EdgeCVE-2020-1433Microsoft Edge PDF Information Disclosure Vulnerability
Microsoft EdgeCVE-2020-1462Skype for Business via Microsoft Edge (EdgeHTML-based) Information Disclosure Vulnerability
Microsoft Graphics ComponentCVE-2020-1355Windows Font Driver Host Remote Code Execution Vulnerability
Microsoft Graphics ComponentCVE-2020-1468Windows GDI Information Disclosure Vulnerability
Microsoft Graphics ComponentCVE-2020-1351Microsoft Graphics Component Information Disclosure Vulnerability
Microsoft Graphics ComponentCVE-2020-1436Windows Font Library Remote Code Execution Vulnerability
Microsoft Graphics ComponentCVE-2020-1435GDI+ Remote Code Execution Vulnerability
Microsoft Graphics ComponentCVE-2020-1412Microsoft Graphics Components Remote Code Execution Vulnerability
Microsoft Graphics ComponentCVE-2020-1409DirectWrite Remote Code Execution Vulnerability
Microsoft Graphics ComponentCVE-2020-1408Microsoft Graphics Remote Code Execution Vulnerability
Microsoft Graphics ComponentCVE-2020-1397Windows Imaging Component Information Disclosure Vulnerability
Microsoft Graphics ComponentCVE-2020-1381Windows Graphics Component Elevation of Privilege Vulnerability
Microsoft Graphics ComponentCVE-2020-1382Windows Graphics Component Elevation of Privilege Vulnerability
Microsoft JET Database EngineCVE-2020-1407Jet Database Engine Remote Code Execution Vulnerability
Microsoft JET Database EngineCVE-2020-1400Jet Database Engine Remote Code Execution Vulnerability
Microsoft JET Database EngineCVE-2020-1401Jet Database Engine Remote Code Execution Vulnerability
Microsoft Malware Protection EngineCVE-2020-1461Microsoft Defender Elevation of Privilege Vulnerability
Microsoft OfficeCVE-2020-1445Microsoft Office Information Disclosure Vulnerability
Microsoft OfficeCVE-2020-1446Microsoft Word Remote Code Execution Vulnerability
Microsoft OfficeCVE-2020-1349Microsoft Outlook Remote Code Execution Vulnerability
Microsoft OfficeCVE-2020-1439PerformancePoint Services Remote Code Execution Vulnerability
Microsoft OfficeCVE-2020-1240Microsoft Excel Remote Code Execution Vulnerability
Microsoft OfficeCVE-2020-1458Microsoft Office Remote Code Execution Vulnerability
Microsoft OfficeCVE-2020-1442Office Web Apps XSS Vulnerability
Microsoft OfficeCVE-2020-1449Microsoft Project Remote Code Execution Vulnerability
Microsoft OfficeCVE-2020-1447Microsoft Word Remote Code Execution Vulnerability
Microsoft OfficeCVE-2020-1448Microsoft Word Remote Code Execution Vulnerability
Microsoft Office SharePointCVE-2020-1456Microsoft Office SharePoint XSS Vulnerability
Microsoft Office SharePointCVE-2020-1454Microsoft SharePoint Reflective XSS Vulnerability
Microsoft Office SharePointCVE-2020-1342Microsoft Office Information Disclosure Vulnerability
Microsoft Office SharePointCVE-2020-1443Microsoft SharePoint Spoofing Vulnerability
Microsoft Office SharePointCVE-2020-1450Microsoft Office SharePoint XSS Vulnerability
Microsoft Office SharePointCVE-2020-1444Microsoft SharePoint Remote Code Execution Vulnerability
Microsoft Office SharePointCVE-2020-1451Microsoft Office SharePoint XSS Vulnerability
Microsoft OneDriveCVE-2020-1465Microsoft OneDrive Elevation of Privilege Vulnerability
Microsoft Scripting EngineCVE-2020-1403VBScript Remote Code Execution Vulnerability
Microsoft WindowsCVE-2020-1406Windows Network List Service Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1410Windows Address Book Remote Code Execution Vulnerability
Microsoft WindowsCVE-2020-1085Windows Function Discovery Service Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1402Windows ActiveX Installer Service Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1330Windows Mobile Device Management Diagnostics Information Disclosure Vulnerability
Microsoft WindowsCVE-2020-1431Windows AppX Deployment Extensions Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1405Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1404Windows Runtime Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1438Windows Network Connections Service Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1430Windows UPnP Device Host Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1429Windows Error Reporting Manager Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1463Windows SharedStream Library Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1437Windows Network Location Awareness Service Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1434Windows Sync Host Service Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1427Windows Network Connections Service Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1413Windows Runtime Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1333Group Policy Services Policy Processing Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1428Windows Network Connections Service Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1249Windows Runtime Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1267Local Security Authority Subsystem Service Denial of Service Vulnerability
Microsoft WindowsCVE-2020-1399Windows Runtime Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1365Windows Event Logging Service Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1366Windows Print Workflow Service Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1359Windows CNG Key Isolation Service Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1363Windows Picker Platform Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1370Windows Runtime Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1373Windows Network Connections Service Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1374Remote Desktop Client Remote Code Execution Vulnerability
Microsoft WindowsCVE-2020-1371Windows Event Logging Service Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1372Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1356Windows iSCSI Target Service Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1420Windows Error Reporting Information Disclosure Vulnerability
Microsoft WindowsCVE-2020-1421LNK Remote Code Execution Vulnerability
Microsoft WindowsCVE-2020-1350Windows DNS Server Remote Code Execution Vulnerability
Microsoft WindowsCVE-2020-1418Windows Diagnostics Hub Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1422Windows Runtime Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1353Windows Runtime Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1354Windows UPnP Device Host Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1347Windows Storage Services Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1352Windows USO Core Worker Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1375Windows COM Server Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1390Windows Network Connections Service Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1391Windows Agent Activation Runtime Information Disclosure Vulnerability
Microsoft WindowsCVE-2020-1386Connected User Experiences and Telemetry Service Information Disclosure Vulnerability
Microsoft WindowsCVE-2020-1387Windows Push Notification Service Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1395Windows Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1398Windows Lockscreen Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1393Windows Diagnostics Hub Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1394Windows Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1385Windows Credential Picker Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2020-1384Windows CNG Key Isolation Service Elevation of Privilege Vulnerability
Open Source SoftwareCVE-2020-1469Bond Denial of Service Vulnerability
Skype for BusinessCVE-2020-1025Microsoft Office Elevation of Privilege Vulnerability
Visual StudioCVE-2020-1416Visual Studio and Visual Studio Code Elevation of Privilege Vulnerability
Visual StudioCVE-2020-1481Visual Studio Code ESLint Extention Remote Code Execution Vulnerability
Windows Hyper-VCVE-2020-1041Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability
Windows Hyper-VCVE-2020-1040Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability
Windows Hyper-VCVE-2020-1032Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability
Windows Hyper-VCVE-2020-1036Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability
Windows Hyper-VCVE-2020-1042Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability
Windows Hyper-VCVE-2020-1043Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability
Windows KernelCVE-2020-1367Windows Kernel Information Disclosure Vulnerability
Windows KernelCVE-2020-1396Windows ALPC Elevation of Privilege Vulnerability
Windows KernelCVE-2020-1336Windows Kernel Elevation of Privilege Vulnerability
Windows KernelCVE-2020-1419Windows Kernel Information Disclosure Vulnerability
Windows KernelCVE-2020-1426Windows Kernel Information Disclosure Vulnerability
Windows KernelCVE-2020-1358Windows Resource Policy Information Disclosure Vulnerability
Windows KernelCVE-2020-1388Windows Elevation of Privilege Vulnerability
Windows KernelCVE-2020-1389Windows Kernel Information Disclosure Vulnerability
Windows KernelCVE-2020-1357Windows System Events Broker Elevation of Privilege Vulnerability
Windows KernelCVE-2020-1411Windows Kernel Elevation of Privilege Vulnerability
Windows ShellCVE-2020-1415Windows Runtime Elevation of Privilege Vulnerability
Windows ShellCVE-2020-1360Windows Profile Service Elevation of Privilege Vulnerability
Windows ShellCVE-2020-1414Windows Runtime Elevation of Privilege Vulnerability
Windows ShellCVE-2020-1368Windows Credential Enrollment Manager Service Elevation of Privilege Vulnerability
Windows Subsystem for LinuxCVE-2020-1423Windows Subsystem for Linux Elevation of Privilege Vulnerability
Windows Update StackCVE-2020-1392Windows Elevation of Privilege Vulnerability
Windows Update StackCVE-2020-1346Windows Modules Installer Elevation of Privilege Vulnerability
Windows Update StackCVE-2020-1424Windows Update Stack Elevation of Privilege Vulnerability
Windows WalletServiceCVE-2020-1344Windows WalletService Elevation of Privilege Vulnerability
Windows WalletServiceCVE-2020-1364Windows WalletService Denial of Service Vulnerability
Windows WalletServiceCVE-2020-1369Windows WalletService Elevation of Privilege Vulnerability
Windows WalletServiceCVE-2020-1361Windows WalletService Information Disclosure Vulnerability
Windows WalletServiceCVE-2020-1362Windows WalletService Elevation of Privilege Vulnerability


Source: Information Technologies - zdnet.com

SigRed: A 17-year-old 'wormable' vulnerability for hijacking Microsoft Windows Server

Google's Confidential VMs may change the public cloud market