Microsoft’s Patch Tuesday security updates for July 2020 fix 123 vulnerabilities, including 18 that have been rated critical and which can lead to remote code execution.
The critical vulnerabilities impact Windows, the .NET framework, Internet Explorer, SharePoint, Visual Studio, Office and Hyper-V. None of the flaws patched this month appear to have been exploited in attacks, but one issue, an important-severity privilege escalation weakness affecting the Windows SharedStream Library, was publicly disclosed before a fix was released.
The most serious of the vulnerabilities patched this month appears to be CVE-2020-1350, which affects Windows DNS servers and allows an unauthenticated attacker to run arbitrary code in the context of the local system account by sending specially crafted requests to the server.
Microsoft has described the vulnerability as wormable and experts have advised users to install the patch as soon as possible due to the high risk of exploitation.
“We consider this to be a wormable vulnerability, meaning that it has the potential to spread via malware between vulnerable computers without user interaction. DNS is a foundational networking component and commonly installed on Domain Controllers, so a compromise could lead to significant service interruptions and the compromise of high level domain accounts,” Microsoft said in its advisory.
Trend Micro’s Zero Day Initiative (ZDI) pointed out that this is the fifth month when Microsoft patches over 110 vulnerabilities, bringing the total so far in 2020 to 742.This is already higher than the total number of flaws fixed in 2017 and 2018, when there were less than 700 CVEs, and it could soon surpass the 851 CVEs from 2019.
Experts from several cybersecurity companies have commented on this month’s patches:
Dustin Childs, Communications Manager, ZDI:
“Patch CVE-2020-1350 as soon as you can! This patch fixes a CVSS 10 rated bug in the Windows DNS Server service that could allow unauthenticated code execution at the level of Local System account if an affected system received a specially crafted request. That makes this bug wormable – at least between affected DNS servers. Microsoft also suggests a registry edit that limits the size of TCP packets the server will process as a workaround, but they don’t list any potential side effects of that registry change. The attack vector requires very large DNS packets, so attacks cannot be conducted over UDP.
There are also 14 information disclosure bugs getting patched this month. Two of these patches are for Skype for Business and could disclose Skype profile data or other PII of the user.
The release includes another patch for LNK files. Considering this is the fourth one this year to be addressed, it seems likely one of the first three didn’t completely resolve the underlying vulnerability.
The release is rounded out with patches for a few cross-site scripting bugs and the Denial-of-Service (DoS) bugs. Included in the DoS bugs is a new version of the .NET implementation of Bond. It’s strange to see Microsoft patches for open source software, but it’s a welcome event.”
Richard Tsang, senior software engineer, Rapid7:
“The star of this Patch Tuesday is CVE-2020-1350, a wormable vulnerability on Windows Servers running the Windows DNS Server service. This vulnerability includes ESU servers like Windows Server 2008 and Windows Server 2008 R2, but extends throughout all supported versions of Windows Server that can run the Windows DNS Server service.
Another vulnerability to note is CVE-2020-1374. This one is a Remote Desktop Client remote code execution vulnerability where a vulnerability version of the Windows Remote Desktop Client connecting to a malicious server could allow an attacker to act as it has full user rights. With a pinch of social engineering or other means such as using a Man-in-the-Middle attack, unsuspecting users from OS versions of Windows 7 to the latest version of Windows 10 (2004) could be susceptible to this.
On the stranger side of things, there are patches made for CVE-2020-1032, CVE-2020-1036, CVE-2020-1040, CVE-2020-1041, CVE-2020-1042, and CVE-2020-1043 surrounding the Hyper-V RemoteFX vGPU feature on Hyper-V hosts. The worst of which would allow an attacker to execute arbitrary code on the host system. Given that RemoteFX vGPU is no longer under active development, if your environment has strict RemoteFX requirement, Microsoft has provided additional details on assisting in migrating off that feature.
The last operational aspect to this Patch Tuesday that deviates from the norm is CVE-2020-1346, an elevation of privilege vulnerability in the Windows Modules Installer component for all Windows OS (ESU-eligible and up). In this particular case, the Servicing Stack updates released this month should been installed prior to installing the cumulative update/monthly rollup or security update patch. While it was not explicitly outlined, following these directions from Microsoft for CVE-2020-1346 may have a direct impact on the order of operations when resolving other issues such as CVE-2020-1350.”
Jay Goodman, Strategic Product Marketing Manager, Automox:
“To start with, CVE-2020-1147, 1421, and 1403 are remote code execution vulnerabilities in Windows .NET framework, LNK, and VBScript. These three services are highly common amongst Windows operating systems. The .NET vulnerability impacts every version of the framework back to 2.0 across nearly every flavor of Microsoft OS. The commonality of these services makes for a potential broad-scoped attack by adversaries. Additional remote code execution vulnerabilities were found in DirectWrite and GDI+ (CVE-2020-1409 and CVE-2020-1435) and PerformancePoint Services (CVE-2020-1439). DirectWrite and GDI+ are text layout and rendering APIs provided by Microsoft and commonly used by third-party browsers like Chrome.
Remote Code Execution vulnerabilities allow attackers to access a system and read or delete contents, make changes, or directly run code on the system. This gives an attacker quick and easy access to not only your organization’s data but also a platform to perform additional malicious attacks against other devices in your environment. Services like LNK and VBScript as well as .NET Framework are extremely common across many Windows systems. This gives attackers a plethora of potential targets to compromise and move laterally from easily once access is gained.
Microsoft also provided guidance on enabling request smuggling filtering on IIS Servers. Microsoft noted that they are aware of a potential tampering vulnerability in the way that HTTP proxies and web servers handle sequences of HTTP requests from multiple sources. An attacker could exploit the vulnerability by combining multiple requests into the body of a single request to a web server, allowing them to modify responses or retrieve information from another user’s HTTP session. Although there is not an immediate patch to address this vulnerability, Microsoft’s guidance does provide a quick filter registry addition that can protect your web servers.”
David Carver, Manager, Insikt Group, Recorded Future:
“One of the concerning attributes of this Patch Tuesday is the number of disclosed RCE vulnerabilities that impact a broad range of widely used Microsoft products. CVE-2020-1374, for example, allows remote code execution based on a flaw in Windows Remote Desktop Client, can be exploited by convincing a user to visit a malicious server, and impacts Windows 7 through 10 and Windows Server 2008 through 2019.
Other RCE vulnerabilities that impact an identical range of products include CVE-2020-1410, which impacts Windows Address Book and could be exploited via a malicious vcard file; CVE-2020-1421, which impacts .LNK files and could be exploited via a malicious removable drive or remote share; and CVE-2020-1435 and CVE-2020-1436, which impact Windows Graphic Device Interface and Windows font library, respectively, and could both be exploited via a malicious link or document.”
Erez Yalon, Director of Security Research, Checkmarx:
“Microsoft’s latest Patch Tuesday update shows several fixes for Remote Code Execution (RCE) vulnerabilities spanning entry points including DNS servers (CVE-2020-1350), Microsoft Office (CVE-2020-1458), Outlook (CVE-2020-1349), and development tools like .NET Framework and Visual Studio (CVE-2020-1147), among others.
RCE, or being able to run code on a vulnerable system, is as dangerous as it sounds. Through RCE, an attacker can install programs, as well as view, change, or delete data. This method of attack can be the entry point to an organization, giving cybercriminals the keys to more complex attacks. If exploited on a key user or system, it can also mean ‘game over’ for an individual or organization at large.
Specifically, RCE vulnerabilities in developer tools — as witnessed this month in the .NET Framework and Visual Studio programs — can allow an attacker to take over the computer of a user who has access to source codes, and potentially production environments, of an organization, meaning intellectual property is now also at stake.
Overall, this month’s patches demonstrate that RCE vulnerabilities are still very prevalent today, and individuals should immediately update all affected Microsoft products and services to maintain strong security posture.”