A critical DNS bug and a publicly known elevation-of-privilege flaw top Microsoft’s July Patch Tuesday list of 123 fixes. The DNS flaw is a remote code-execution bug and is touted as one of the most critical Windows vulnerabilities released this year, earning the highest-severity CVSS score of 10.
The elevation-of-privilege bug (CVE-2020-1463) bug received a less-severe “important” rating, and impacts the Windows 10 and Windows Server SharedStream Library component. It stems from the way it handles objects in memory. Researchers expressed concern because the bug is publicly known, making it ripe for exploitation.
“The [SharedStream] vulnerability could allow an attacker to execute code with elevated permissions,” said Todd Schell, senior product manager, security, Ivanti. However, “the attacker would need to be locally authenticated to exploit,” he said.
The more severe DNS flaw (CVE-2020-1350) is a remote code-execution vulnerability in the Windows Domain Name System (DNS) Server and was found by Sagi Tzaik, a researcher at Check Point. That bug exists due to the improper handling of requests sent to Windows DNS servers, according to researchers.
“A remote, unauthenticated attacker could exploit this vulnerability by sending a malicious request to a vulnerable Windows DNS server. Successful exploitation would allow the attacker to execute arbitrary code under the local system account context,” wrote Satnam Narang, staff research engineer at Tenable, in the company’s Patch Tuesday analysis.
He noted that Microsoft warned that this vulnerability is wormable, meaning it could spread from computer to computer without user interaction. “Organizations are strongly encouraged to patch their systems as soon as possible to address this vulnerability, as we expect that it won’t be long before attackers begin to probe for and target vulnerable systems,” he wrote as part of Tenable’s analysis of the flaw.
[Related content: Critical DNS Bug Opens Windows Servers to Infrastructure Hijacking]
123 Fixes: Another Triple-Digit Month
In all, Microsoft patched 123 bugs, 18 listed as critical and 105 listed as important in severity. Microsoft’s advisories covered a wide swath of products, including Windows 10, Microsoft’s new Chromium-based Edge browser, Internet Explorer (IE), Office and Office Services and Web Apps, Windows Defender, Skype for Business, Visual Studio, .NET Framework, OneDrive, Azure DevOp and Open Source Software.
“That makes five straight months of 110+ CVEs released and brings the total for 2020 up to 742,” wrote Zero Day Initiative (ZDI) researchers in their Patch Tuesday analysis. “For comparison, Microsoft released patches for 851 CVEs in all of 2019. At this pace, Microsoft will eclipse that number next month. They have already passed their totals for 2017 (665) and 2018 (691).”
Researchers at ZDI singled out a “rare” critical elevation-of-privilege vulnerability (CVE-2020-1025) in Microsoft Office: “It’s rare to see an elevation-of-privilege bug rated critical in severity, but this vulnerability in SharePoint and Skype for Business servers certainly earns its rating.” The flaw allows attackers to gain access to impacted servers through the improper handling of an OAuth token.
Patch Tuesday Bug Parade
Meanwhile, Adobe released five patches covering 13 CVEs in Adobe Cold Fusion, Download Manager, Genuine Service, Media Encoder and the Creative Cloud Desktop Application. Adobe patches included fixes for four critical vulnerabilities, as outlined by Threatpost.
Also on Tuesday, Google updated its Google Chrome browser with a security update tackling 38 vulnerabilities — including one critical. The critical bug (CVE-2020-6510) is a Chrome heap buffer overflow vulnerability tied to Chrome’s background fetch function.
The Chrome security update is part of the release of Chrome 84 (84.0.4147.89), which notably includes deprecated support for TLS 1.0 and TLS 1.1.
BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.