Microsoft July 2020 Patch Tuesday fixes 123 vulnerabilities

The monthly security updates for Microsoft products — also known as Patch Tuesday — are out for the month of July 2020.

This month, Redmond fixed 123 security flaws across 13 products. None of the security bugs fixed this month have been observed being exploited in the real world.

The most severe bug patched this month is a bug (CVE-2020-1350) in the Windows Server DNS component. Discovered by Check Point researchers, the bug received a 10 out of 10 severity rating, and researchers say the bug can be easily weaponized to create wormable (self-propagating) malware.

See ZDNet’s separate coverage for this bug, codenamed SigRed, here.

Other important bugs patched this month also include remote code vulnerabilities in:

• The RemoteFX vGPU component of Microsoft’s Hyper-V hypervisor technology (CVE-2020-1041, CVE-2020-1040, CVE-2020-1032, CVE-2020-1036, CVE-2020-1042, CVE-2020-1043)
• The Jet Database Engine included with some Office applications (CVE-2020-1400, CVE-2020-1401, CVE-2020-1407)
• Microsoft Word (CVE-2020-1446, CVE-2020-1447, CVE-2020-1448)
• Microsoft Excel (CVE-2020-1240)
• Microsoft Outlook (CVE-2020-1349)
• Microsoft Sharepoint (CVE-2020-1444)
• Windows LNK shortcut files (CVE-2020-1421)
• Various Windows graphics components (CVE-2020-1435, CVE-2020-1408, CVE-2020-1412, CVE-2020-1409, CVE-2020-1436, CVE-2020-1355)

These “remote code execution” vulnerabilities are the most severe, as they allow hackers to execute code on a system in remote attack scenarios.

Since Patch Tuesday updates are delivered in monthly blocks, system administrators can’t select which patches to apply and which they don’t. System administrators are advised to review the threat posed by the RCE vulnerabilities listed above and decide the urgency for patching to each of their respetive organizations.

System administrators who manage large fleets of computers — such as those deployed across enterprises and government organizations — are also advised to test today’s updates for any bugs before deploying them to production systems.

Malware authors are known to follow Microsoft’s monthly security updates, select the most useful/dangerous bugs, and patch-diff the security updates packages to find the exact bug Microsoft fixed — so they can weaponize them for upcoming attacks.

Below is some useful information about today’s Patch Tuesday, but also the security updates released by other companies this month, which sysadmins might also need to address as well, besides Microsoft’s batch.

• Microsoft’s official Security Update Guide portal lists all security updates in a filterable table.
• ZDNet has published this file listing all this month’s security advisories on one single page.
• Adobe’s security updates are detailed here.
• SAP security updates are available here.
• VMWare security updates are available here.
• Oracle’s quarterly patches (for Q2 2020, July edition) are available here.
• Chrome 84 security updates are detailed here.
• The Android Security Bulletin for July 2020 is detailed here. Patches started rolling out to users’ phones last week.

Source: Information Technologies - zdnet.com