Virtual Administrator’s July 2020 Patch Recommendations
This month Microsoft released patches for 123 vulnerabilities with 18 rated “Critical” and 105 “Important” in severity.
All patches have been approved in our patch policy.
July patches 123 vulnerabilities. The top news this month is a Windows DNS server vulnerability known as SigRed (CVE-2020-1350). This is a wormable RCE vulnerability in Windows DNS Server affecting all versions of Windows server running the DNS Server role. The patch is included in the Cumulative Update/Monthly Rollup. For those who do not want to install the full Cumulative Update/Monthly Rollup yet, there is a registry change that mitigates without requiring a reboot. The script is posted on ClubMSP. Patches for a number of vulnerabilities impacting the RemoteFX vGPU component of Microsoft’s Hyper-V hypervisor technology were released. A number of RCE vulnerabilities in Microsoft Office are patched as well. Microsoft broke Outlook for half the day on July 15th – see “FYI” below
Windows DNS server wormable vulnerability “SigRed” (CVE-2020-1350)
July 2020 Security Update:?CVE-2020-1350 Vulnerability in Windows Domain Name System (DNS) Server
FYI: On July 15th for a few hours the Outlook.exe program was crashing with an error 0xc0000005. Not everyone was affected but at least recent versions of Microsoft 365 Click-to-Run Current Channel version 2006 Build 13001.20266 as well as Office 2019 had issues.
Per Microsoft this was fixed “Outlook will automatically look for the fix on launch, so if this issue persists through multiple launches please use Outlook Web Access (or your providers webmail interface) for an hour then try again.”
Active Investigation into Outlook Crashing on Launch
They also stated “This problem is not associated with any of the 7/15/2020 security patches”
Rumors about what happened are swirling and Microsoft has promised an explanation in a few days. On July 15th it was discovered rolling back a few versions would allow Office to work. Again this should no longer be necessary. The prevailing rumor is that Microsoft pushed out a security or authentication change to their servers which broke its communication with the newer versions of Office.
Disclosed: None
Exploited: None
Security Update Guide
https://portal.msrc.microsoft.com/en-us/security-guidance
Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com
Affected software include:
- Microsoft Windows
- Microsoft Edge (EdgeHTML-based)
- Microsoft Edge (Chromium-based)
- Microsoft ChakraCore
- Internet Explorer
- Microsoft Office and Microsoft Office Services and Web Apps
- Windows Defender
- Skype for Business
- Visual Studio
- Microsoft OneDrive
- Open Source Software
- .NET Framework
- Azure DevOps
Microsoft Security Advisories
ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:07/14/2020)
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001
Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.
ADV200008 | Microsoft Guidance for Enabling Request Smuggling Filter on IIS Servers (Published: 07/14/2020)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200008
Microsoft is aware of a tampering vulnerability in the way that HTTP proxies (front-end) and web servers (back-end) that do not strictly adhere to RFC standards handle sequences of HTTP requests received from multiple sources. An attacker who successfully exploited the vulnerability could combine multiple requests into the body of a single request to a web server, allowing them to modify responses or retrieve information from another user’s HTTP session.
To exploit the vulnerability against an IIS Server hosting a website, an unauthenticated attacker could send a specially crafted request to a targeted IIS Server serviced by a front-end load balancer or proxy that does not strictly adhere to RFC standards.
Known Issues
No new issues according to Microsoft.
Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.
Good resource for known issues with Windows 10 patches. Click on the version in the left column for the status of known issues.
Windows 10 release information: https://docs.microsoft.com/en-us/windows/release-information/
Monthly Rollup/Security Only/Windows 10/Server 2016,2019 KBs
Links are https://support.microsoft.com/en-us/help/####### with the KB number only.
Security and Quality Rollup
- KB4565524 – Windows 7, Windows Server 2008 R2 (ESU)
- KB4565541 – Windows 8.1, Windows Server 2012 R2
- KB4565537 – Windows Server 2012
- KB4565536 – Windows Server 2008 (ESU)
Security Only Update
- KB4565539 – Windows 7, Windows Server 2008 R2 (ESU)
- KB4565540 – Windows 8.1, Windows Server 2012 R2
- KB4565535 – Windows Server 2012
- KB4565529 – Windows Server 2008 (ESU)
Cumulative Update for Windows 10
- KB4565513 – Original release version 1507 (OS Build 10240)
- None – Version 1511 (OS Build 10586)
- KB4565511 – Version 1607 “Anniversary Update” (OS Build 14393)
- KB4565499 – Version 1703 “Creators Update” (OS Build 15063)
- KB4565508 – Version 1709 “Fall Creators Update” (OS Build 16299)
- KB4565489 – Version 1803 “Spring Creators Update” (OS Build 17134)
- KB4558998 – Version 1809 “October 2018 Update” (OS Build 17763)
- KB4565483 – Version 1903 “May 2019 Update” (OS Build 18362)
- KB4565483 – Version 1909 “November 2019 Update” (OS Build 18363)
- KB4565503 – Version 2004 “May 2020 Update” (OS Build 19041)
Note: Server 2016 uses the same KB as Windows 10 Version 1607. Server 2019 uses the same KB as Windows 10 Version 1809.
KB4565479 – Cumulative Security Update for Internet Explorer 9/10/11
This cumulative update is included in the monthly updates listed above. It can be installed instead of the monthly to secure Internet Explorer otherwise it is “superseded” by the monthly update.
None – Security Update for Adobe Flash Player
July 2020 updates for Microsoft Office
https://support.microsoft.com/en-us/help/4559453/july-2020-updates-for-microsoft-office
Notable CVEs
CVE-2020-1350 | Windows DNS Server Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350
A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.
To exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server.
The update addresses the vulnerability by modifying how Windows DNS servers handle requests.
CVE-2020-1410 | Windows Address Book Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1410
A remote code execution vulnerability exists when Windows Address Book (WAB) improperly processes vcard files.
To exploit the vulnerability, an attacker could send a malicious vcard that a victim opens using Windows Address Book (WAB). After successfully exploiting the vulnerability, an attacker could gain execution on a victim system.
The security update addresses the vulnerability by correcting the way Windows Address Book handles bound checking.
CVE-2020-1421 | LNK Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1421
A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
The attacker could present to the user a removable drive, or remote share, that contains a malicious .LNK file and an associated malicious binary. When the user opens this drive(or remote share) in Windows Explorer, or any other application that parses the .LNK file, the malicious binary will execute code of the attacker’s choice, on the target system.
The security update addresses the vulnerability by correcting the processing of shortcut LNK references.
CVE-2020-1435 | GDI+ Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1435
A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
There are multiple ways an attacker could exploit the vulnerability:
-In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to open an email attachment or click a link in an email or instant message.
-In a file-sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit the vulnerability, and then convince users to open the document file.
The security update addresses the vulnerability by correcting the way that the Windows GDI handles objects in the memory.
CVE-2020-1436 | Windows Font Library Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1436
A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted fonts.
For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
There are multiple ways an attacker could exploit the vulnerability:
-In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email or Instant Messenger message that takes users to the attacker’s website, or by opening an attachment sent through email.
-In a file sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit the vulnerability, and then convince users to open the document file.
The security update addresses the vulnerability by correcting how the Windows font library handles embedded fonts.