Microsoft has released July Patch Tuesday security updates, addressing a massive number of 123 vulnerabilities and one advisory in the family of Windows operating systems and related products. Out of these, 18 are classified as Critical and 105 as Important which includes Microsoft Windows, Edge EdgeHTML-based, Chromium-based, ChakraCore, Internet Explorer, Microsoft Office, and Microsoft Office Services and Web Apps, Windows Defender, Visual Studio, .NET Framework, and Azure DevOps.
All of the critical bugs are Remote Code Execution (RCE) and Elevation Of Privilege (EoP) that resides in the Internet Explorer, Windows, Microsoft Lync Server, Microsoft SharePoint, and Visual Studio Code, to name a few.
At the time of the release of updates, there were no zero-days and no vulnerabilities that had been publicly disclosed or under active attack.
An extremely critical “Wormable” Remote Code Execution vulnerability in the Windows DNS server was discovered by researchers at Check Point, this vulnerability so minacious is that it could allow a remote attacker to create a wormable malware that can spread on its own in a network.
Windows DNS Server Remote Code Execution Vulnerability|CVE-2020-1350:
- A remote code execution vulnerability exists in Windows Domain Name System servers with a CVSS base score of 10. The flaw exists as it fails to properly validate the length in the record packet while the parsing of DNS signature queries (RR SIG records).
- To exploit the vulnerability, an unauthenticated attacker could send malformed requests to a Windows DNS server. The attack vector requires very large DNS packets, so attacks cannot be conducted over UDP.
- An attacker could host a DNS server that has malicious content. DNS clients like phones, tablets, laptops, desktops, servers, cameras, etc. could be tricked into making a query to a malicious server.
- The response from the malicious server which uses compression in one of the DNS fields, is temporarily cached in the local Microsoft DNS server on the client, and the next time the query is requested, the local Microsoft DNS server will attempt to uncompress the fields before responding, resulting in a heap memory overflow, which can lead to remote code execution.
- Successful exploitation could allow an attacker to run arbitrary code in the context of the Local System Account. Nevertheless, windows servers that are configured as DNS servers are at risk from this vulnerability.
Remote Desktop Client Remote Code Execution Vulnerability|CVE-2020-1374:
- A remote code execution vulnerability exists in the Windows Remote Desktop Client on OS version from Windows 7 to the latest version of Windows 10.
- The flaw exists due to an integer overflow that allows a heap corruption. To exploit the vulnerability, an attacker would need to have control of a malicious server and then trick the user into connecting to that server via social engineering, DNS poisoning, or using a Man in the Middle (MITM) technique like ARP poisoning. An attacker could also compromise a legitimate RDP server, host malicious code on it, and wait for the user to connect.
- The vulnerability can be triggered within the Media Container Dynamic Virtual Channel feature and follows the well-known path of alloc(controlled_size) followed by a memcpy() to the allocated location.
- Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code on a compromised system. An attacker could then install programs, modify or delete data, or create new accounts with full user rights.
- A remote code execution vulnerability exists in .NET Framework, Microsoft SharePoint, Visual Studio, and PerformancePoint Services for SharePoint Server.
- The flaw exists when the software fails to validate the source markup of XML file input.
- For exploitation of the vulnerability, an attacker could upload a maliciously crafted document to a server utilizing an affected product to process content.
- Successful exploitation of the vulnerability could allow an attacker to run arbitrary code in the context of the process responsible for the deserialization of the XML content.
Windows Font Library Remote Code Execution Vulnerability|CVE-2020-1436:
- A critical remote code execution vulnerability exists in the Windows font library.
- The flaw exists due to improper handling of specially crafted fonts by the Windows font library. The manipulation with an unknown input leads to a memory corruption vulnerability.
- Successful exploitation of the vulnerability could allow an attacker who successfully exploited the vulnerability could execute code remotely. However, there is a limitation here for systems running Windows 10, on successful exploitation, an attacker could execute code in an AppContainer sandbox context with limited privileges and capabilities.
- Then the attacker could then install programs, modify or delete data, or create new accounts with full user rights.
Microsoft Office Elevation of Privilege Vulnerability| CVE-2020-1025:
- A ‘rare’ critical Elevation of Privilege(EoP) vulnerability exists in Microsoft Office.
- The flaw exists when Microsoft SharePoint Server and Skype for Business Server improperly handle OAuth token validation. Lync servers are also impacted by this vulnerability.
- To exploit this vulnerability, an attacker would need to modify the token.
- Successful exploitation of the vulnerability could allow an attacker to bypass authentication and achieve improper access.
Microsoft Security Bulletin Summary for May 2020:
- Microsoft Windows
- Microsoft Edge (EdgeHTML-based)
- Internet Explorer
- Microsoft Office and Microsoft Office Services and Web Apps
- Windows Defender
- Skype for Business
- Visual Studio
- Microsoft OneDrive
- .NET Framework
- Azure DevOps
Product: Microsoft Windows
CVEs/Advisory: ADV200008, CVE-2020-1032, CVE-2020-1036, CVE-2020-1040 – CVE-2020-1043, CVE-2020-1085, CVE-2020-1249, CVE-2020-1267, CVE-2020-1330, CVE-2020-1333, CVE-2020-1336, CVE-2020-1344, CVE-2020-1346, CVE-2020-1347, CVE-2020-1350 – CVE-2020-1375, CVE-2020-1381, CVE-2020-1382, CVE-2020-1384, CVE-2020-1385 – CVE-2020-1400, CVE-2020-1401 – CVE-2020-1410, CVE-2020-1411 – CVE-2020-1430, CVE-2020-1431, – CVE-2020-1438, CVE-2020-1463, CVE-2020-1468
Impact: Denial of Service, Elevation of Privilege, Information Disclosure, Remote Code Execution, Tampering
KBs: 4558997, 4558998, 4565483, 4565489, 4565503, 4565508, 4565511, 4565513, 4565524, 4565535, 4565537, 4565540, 4565541, 4565552, 4565553, 4565554, 4565911, 4565912, 4566425, 4566426, 4566785
Product: Microsoft Edge (EdgeHTML-based)
CVEs/Advisory: CVE-2020-1433, CVE-2020-1462
Impact: Information Disclosure
KBs: 4558998, 4565483, 4565489, 4565503, 4565508, 4565511, 4565513
Product: Internet Explorer
CVEs/Advisory: CVE-2020-1403, CVE-2020-1432
Impact: Information Disclosure, Remote Code Execution
KBs: 4558998, 4565479, 4565483, 4565489, 4565503, 4565508, 4565511, 4565513, 4565524, 4565536, 4565537, 4565541
Product: Microsoft Office and Microsoft Office Services and Web Apps
CVEs/Advisory: CVE-2020-1342, CVE-2020-1349, CVE-2020-1409, CVE-2020-1442, CVE-2020-1445, CVE-2020-1446 – CVE-2020-1449
Impact: Information Disclosure, Remote Code Execution, Spoofing
KBs: 4484357, 4484381, 4484451, 4484456
Product: Windows Defender
Impact: Elevation of Privilege
Product: Azure DevOps