July 14, 2020 • David Carver
In March, Microsoft’s Patch Tuesday featured 125 vulnerabilities. Then, there were 113 in April. May brought 111, and June had 129. This week, Microsoft includes 123 in the July edition of Patch Tuesday. Vulnerabilities have presented challenges all year, with little hope of slowing down. For some context, this is a +30% increase from March-July of vulnerabilities disclosed by Microsoft in 2019.
Of the 123 vulnerabilities in July 2020’s Patch Tuesday, 32 allow for remote code execution. The main concern this month is with CVE-2020-1350, a remote code execution (RCE) vulnerability in Windows DNS Servers. Microsoft has given this a CVSS score of 10 and marked it as “Exploitation More Likely.”
This vulnerability impacts Windows Server 2008 through 2019. To exploit the vulnerability, an attacker needs to send a specially crafted packet to a Windows server running a vulnerable version of Microsoft’s DNS. Because most active directory (AD) servers also double as DNS servers, this vulnerability could lead to exploitation of AD servers in the network. This should be a high priority for patching this month, although fortunately its disclosure has not been accompanied yet by news of active exploitation.
Another suite of critical remote code execution vulnerabilities exist in the Microsoft Hyper-V RemoteFX vGPU (CVE-2020-1032, -1036, -1040, -1041, -1042, and -1043). These are difficult vulnerabilities to exploit, since an attacker would have to have access to a guest operating system. From the guest operating system, the attacker could run a specially crafted application that would attack certain video drivers running on the Hyper-V host. This would allow the attacker to execute arbitrary code on the host operating system. Microsoft has not released a patch for this vulnerability. Instead, this month’s software update disables the RemoteFX vGPU on vulnerable systems, which includes Windows Server 2008 through 2016.
One of the concerning attributes of this Patch Tuesday is the number of disclosed RCE vulnerabilities that impact a broad range of widely used Microsoft products. CVE-2020-1374, for example, allows remote code execution based on a flaw in Windows Remote Desktop Client. It can be exploited by convincing a user to visit a malicious server, and impacts Windows 7 through 10 and Windows Server 2008 through 2019.
Other RCE vulnerabilities that impact an identical range of products include:
- CVE-2020-1410, which impacts Windows Address Book and could be exploited via a malicious vcard file
- CVE-2020-1421, which impacts .LNK files and could be exploited via a malicious removable drive or remote share
- CVE-2020-1435 and CVE-2020-1436, which impact Windows Graphic Device Interface and Windows font library, respectively, and could both be exploited via a malicious link or document
Prioritize the vulnerabilities that pose real and immediate risk to your company today with Express — Recorded Future’s free browser extension.