Microsoft July 2020 Patch Tuesday: 123 vulnerabilities, 18 Critical!
Today is Microsoft’s July 2020 Patch Tuesday, and if you see Windows administrators cursing for no reason, now you know why!
With the July 2020 Patch Tuesday security updates release, Microsoft has released one advisory for a tampering vulnerability in IIS and fixes for 123 vulnerabilities in Microsoft products.
Of these vulnerabilities, 18 are classified as Critical, and 105 are classified as Important.
This Patch Tuesday is the second-largest update ever, with the largest one being issued in June 2020 with 129 fixes.
This month patches two previously disclosed vulnerability and a critical 10.0 rated wormable DNS vulnerability.
Users should install these security updates as soon as possible to protect Windows from known security risks.
For information about the non-security Windows updates, you can read about today’s Windows 10 KB4565503 & KB4565483 cumulative updates.
Fix for wormable DNS vulnerability
Today’s most newsworthy fix is for a Critical 10.0 rated vulnerability in Windows DNS Server that allows attackers to perform remote code execution.
Discovered by researchers at Check Point, which makes this vulnerability so dangerous is that it could allow attackers to create a wormable malware that can spread on its own in a network.
This vulnerability has been named SigRed by Check Point and is being tracked as CVE-2020-1350.
Microsoft has offered mitigations for this vulnerability, which can be found in our dedicated ‘Microsoft patches critical wormable SigRed bug in Windows DNS Server‘ article.
Critical vulnerabilities of interest
Three ‘Critical’ vulnerabilities exist in Microsoft Edge and VBScript engine that could allow an attacker to perform remote code execution by tricking a user into visiting a maliciously crafted web site.
- CVE-2020-1436 – Windows Font Library Remote Code Execution Vulnerability
- CVE-2020-1435 – GDI+ Remote Code Execution Vulnerability
If exploited, these vulnerabilities could allow the attacker to execute commands on the computer with the same privileges as the user.
Four ‘Critical’ vulnerabilities require an attacker to trick a user into downloading specially crafted malicious files. These vulnerabilities could be used in phishing or web attacks.
- CVE-2020-1409 – DirectWrite Remote Code Execution Vulnerability
- CVE-2020-1349 – Microsoft Outlook Remote Code Execution Vulnerability
- CVE-2020-1410 – Windows Address Book Remote Code Execution Vulnerability
- CVE-2020-1421 – LNK Remote Code Execution Vulnerability
Other critical vulnerabilities are six Hyper-V vulnerabilities that could allow an attacker on a guest operating to execute commands on the host. The other is the previously discussed Windows DNS server vulnerability.
Included in this Patch Tuesday are also fixes for two ‘previously disclosed ‘Important’ vulnerabilities.
- ADV200008 – Microsoft Guidance for Enabling Request Smuggling Filter on IIS Servers
- CVE-2020-1463 – Windows SharedStream Library Elevation of Privilege Vulnerability
Also read: 7 Phases Of Data Life Cycle Every Business Must Be Informed
Recent security updates from other companies
Other vendors who released security updates in July include:
- Adobe released security updates today for Creative Cloud, Download Manager, ColdFusion, Genuine Service, and Media Encoder.
- Android released their July 2020 security updates on June 6th.
- Mozilla released Firefox 78.0 was released with fixes for high and moderate severity security issues.
- SAP released its July 2020 security updates today and addressed a critical vulnerability that could lead to SAP systems’ full takeover.
- VMWare released security updates for critical issues in VMware Cloud Foundation, ESXi, Workstation, and Fusion.
The July 2020 Patch Tuesday Security Updates
Below is the full list of resolved vulnerabilities and released advisories in the July 2020 Patch Tuesday updates. To access the full description of each vulnerability and the systems that it affects, you can view the full report here.
| Tag | CVE ID | CVE Title | Severity |
|---|---|---|---|
| .NET Framework | CVE-2020-1147 | .NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability | Critical |
| Azure DevOps | CVE-2020-1326 | Azure DevOps Server Cross-site Scripting Vulnerability | Important |
| Internet Explorer | CVE-2020-1432 | Skype for Business via Internet Explorer Information Disclosure Vulnerability | Important |
| Microsoft Edge | CVE-2020-1433 | Microsoft Edge PDF Information Disclosure Vulnerability | Important |
| Microsoft Edge | CVE-2020-1462 | Skype for Business via Microsoft Edge (EdgeHTML-based) Information Disclosure Vulnerability | Important |
| Microsoft Graphics Component | CVE-2020-1355 | Windows Font Driver Host Remote Code Execution Vulnerability | Important |
| Microsoft Graphics Component | CVE-2020-1468 | Windows GDI Information Disclosure Vulnerability | Important |
| Microsoft Graphics Component | CVE-2020-1351 | Microsoft Graphics Component Information Disclosure Vulnerability | Important |
| Microsoft Graphics Component | CVE-2020-1436 | Windows Font Library Remote Code Execution Vulnerability | Critical |
| Microsoft Graphics Component | CVE-2020-1435 | GDI+ Remote Code Execution Vulnerability | Critical |
| Microsoft Graphics Component | CVE-2020-1412 | Microsoft Graphics Components Remote Code Execution Vulnerability | Important |
| Microsoft Graphics Component | CVE-2020-1409 | DirectWrite Remote Code Execution Vulnerability | Critical |
| Microsoft Graphics Component | CVE-2020-1408 | Microsoft Graphics Remote Code Execution Vulnerability | Important |
| Microsoft Graphics Component | CVE-2020-1397 | Windows Imaging Component Information Disclosure Vulnerability | Important |
| Microsoft Graphics Component | CVE-2020-1381 | Windows Graphics Component Elevation of Privilege Vulnerability | Important |
| Microsoft Graphics Component | CVE-2020-1382 | Windows Graphics Component Elevation of Privilege Vulnerability | Important |
| Microsoft JET Database Engine | CVE-2020-1407 | Jet Database Engine Remote Code Execution Vulnerability | Important |
| Microsoft JET Database Engine | CVE-2020-1400 | Jet Database Engine Remote Code Execution Vulnerability | Important |
| Microsoft JET Database Engine | CVE-2020-1401 | Jet Database Engine Remote Code Execution Vulnerability | Important |
| Microsoft Malware Protection Engine | CVE-2020-1461 | Microsoft Defender Elevation of Privilege Vulnerability | Important |
| Microsoft Office | CVE-2020-1445 | Microsoft Office Information Disclosure Vulnerability | Important |
| Microsoft Office | CVE-2020-1446 | Microsoft Word Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2020-1349 | Microsoft Outlook Remote Code Execution Vulnerability | Critical |
| Microsoft Office | CVE-2020-1439 | PerformancePoint Services Remote Code Execution Vulnerability | Critical |
| Microsoft Office | CVE-2020-1240 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2020-1458 | Microsoft Office Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2020-1442 | Office Web Apps XSS Vulnerability | Important |
| Microsoft Office | CVE-2020-1449 | Microsoft Project Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2020-1447 | Microsoft Word Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2020-1448 | Microsoft Word Remote Code Execution Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-1456 | Microsoft Office SharePoint XSS Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-1454 | Microsoft SharePoint Reflective XSS Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-1342 | Microsoft Office Information Disclosure Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-1443 | Microsoft SharePoint Spoofing Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-1450 | Microsoft Office SharePoint XSS Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-1444 | Microsoft SharePoint Remote Code Execution Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2020-1451 | Microsoft Office SharePoint XSS Vulnerability | Important |
| Microsoft OneDrive | CVE-2020-1465 | Microsoft OneDrive Elevation of Privilege Vulnerability | Important |
| Microsoft Scripting Engine | CVE-2020-1403 | VBScript Remote Code Execution Vulnerability | Critical |
| Microsoft Windows | CVE-2020-1406 | Windows Network List Service Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1410 | Windows Address Book Remote Code Execution Vulnerability | Critical |
| Microsoft Windows | CVE-2020-1085 | Windows Function Discovery Service Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1402 | Windows ActiveX Installer Service Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1330 | Windows Mobile Device Management Diagnostics Information Disclosure Vulnerability | Important |
| Microsoft Windows | CVE-2020-1431 | Windows AppX Deployment Extensions Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1405 | Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1404 | Windows Runtime Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1438 | Windows Network Connections Service Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1430 | Windows UPnP Device Host Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1429 | Windows Error Reporting Manager Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1463 | Windows SharedStream Library Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1437 | Windows Network Location Awareness Service Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1434 | Windows Sync Host Service Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1427 | Windows Network Connections Service Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1413 | Windows Runtime Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1333 | Group Policy Services Policy Processing Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1428 | Windows Network Connections Service Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1249 | Windows Runtime Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1267 | Local Security Authority Subsystem Service Denial of Service Vulnerability | Important |
| Microsoft Windows | CVE-2020-1399 | Windows Runtime Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1365 | Windows Event Logging Service Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1366 | Windows Print Workflow Service Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1359 | Windows CNG Key Isolation Service Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1363 | Windows Picker Platform Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1370 | Windows Runtime Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1373 | Windows Network Connections Service Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1374 | Remote Desktop Client Remote Code Execution Vulnerability | Critical |
| Microsoft Windows | CVE-2020-1371 | Windows Event Logging Service Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1372 | Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1356 | Windows iSCSI Target Service Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1420 | Windows Error Reporting Information Disclosure Vulnerability | Important |
| Microsoft Windows | CVE-2020-1421 | LNK Remote Code Execution Vulnerability | Critical |
| Microsoft Windows | CVE-2020-1350 | Windows DNS Server Remote Code Execution Vulnerability | Critical |
| Microsoft Windows | CVE-2020-1418 | Windows Diagnostics Hub Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1422 | Windows Runtime Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1353 | Windows Runtime Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1354 | Windows UPnP Device Host Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1347 | Windows Storage Services Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1352 | Windows USO Core Worker Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1375 | Windows COM Server Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1390 | Windows Network Connections Service Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1391 | Windows Agent Activation Runtime Information Disclosure Vulnerability | Important |
| Microsoft Windows | CVE-2020-1386 | Connected User Experiences and Telemetry Service Information Disclosure Vulnerability | Important |
| Microsoft Windows | CVE-2020-1387 | Windows Push Notification Service Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1395 | Windows Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1398 | Windows Lockscreen Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1393 | Windows Diagnostics Hub Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1394 | Windows Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1385 | Windows Credential Picker Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2020-1384 | Windows CNG Key Isolation Service Elevation of Privilege Vulnerability | Important |
| Open Source Software | CVE-2020-1469 | Bond Denial of Service Vulnerability | Important |
| Skype for Business | CVE-2020-1025 | Microsoft Office Elevation of Privilege Vulnerability | Critical |
| Visual Studio | CVE-2020-1416 | Visual Studio and Visual Studio Code Elevation of Privilege Vulnerability | Important |
| Visual Studio | CVE-2020-1481 | Visual Studio Code ESLint Extention Remote Code Execution Vulnerability | Important |
| Windows Hyper-V | CVE-2020-1041 | Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability | Critical |
| Windows Hyper-V | CVE-2020-1040 | Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability | Critical |
| Windows Hyper-V | CVE-2020-1032 | Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability | Critical |
| Windows Hyper-V | CVE-2020-1036 | Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability | Critical |
| Windows Hyper-V | CVE-2020-1042 | Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability | Critical |
| Windows Hyper-V | CVE-2020-1043 | Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability | Critical |
| Windows IIS | ADV200008 | Microsoft Guidance for Enabling Request Smuggling Filter on IIS Servers | Important |
| Windows Kernel | CVE-2020-1367 | Windows Kernel Information Disclosure Vulnerability | Important |
| Windows Kernel | CVE-2020-1396 | Windows ALPC Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2020-1336 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2020-1419 | Windows Kernel Information Disclosure Vulnerability | Important |
| Windows Kernel | CVE-2020-1426 | Windows Kernel Information Disclosure Vulnerability | Important |
| Windows Kernel | CVE-2020-1358 | Windows Resource Policy Information Disclosure Vulnerability | Important |
| Windows Kernel | CVE-2020-1388 | Windows Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2020-1389 | Windows Kernel Information Disclosure Vulnerability | Important |
| Windows Kernel | CVE-2020-1357 | Windows System Events Broker Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2020-1411 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Shell | CVE-2020-1415 | Windows Runtime Elevation of Privilege Vulnerability | Important |
| Windows Shell | CVE-2020-1360 | Windows Profile Service Elevation of Privilege Vulnerability | Important |
| Windows Shell | CVE-2020-1414 | Windows Runtime Elevation of Privilege Vulnerability | Important |
| Windows Shell | CVE-2020-1368 | Windows Credential Enrollment Manager Service Elevation of Privilege Vulnerability | Important |
| Windows Subsystem for Linux | CVE-2020-1423 | Windows Subsystem for Linux Elevation of Privilege Vulnerability | Important |
| Windows Update Stack | CVE-2020-1392 | Windows Elevation of Privilege Vulnerability | Important |
| Windows Update Stack | CVE-2020-1346 | Windows Modules Installer Elevation of Privilege Vulnerability | Important |
| Windows Update Stack | CVE-2020-1424 | Windows Update Stack Elevation of Privilege Vulnerability | Important |
| Windows WalletService | CVE-2020-1344 | Windows WalletService Elevation of Privilege Vulnerability | Important |
| Windows WalletService | CVE-2020-1364 | Windows WalletService Denial of Service Vulnerability | Important |
| Windows WalletService | CVE-2020-1369 | Windows WalletService Elevation of Privilege Vulnerability | Important |
| Windows WalletService | CVE-2020-1361 | Windows WalletService Information Disclosure Vulnerability | Important |
| Windows WalletService | CVE-2020-1362 | Windows WalletService Elevation of Privilege Vulnerability | Important |
Also read: Top 10 Reliable IT Companies in Singapore
0 Comments