News

Microsoft July Security Updates Address 18 Critical Vulnerabilities, Including One That's 'Wormable'

• By Kurt Mackie
• 07/14/2020

Microsoft on Tuesday released July security patches, addressing a total of 123 common vulnerabilities and exposures (CVEs).

This hefty patch bundle represents the fifth consecutive month this year in which the count exceeded 110 CVEs, according to a reckoning by Dustin Childs of Trend Micro's Zero Day Initiative blog. The 2020 running tally, now at 742 CVEs total from Microsoft, likely will soon overtake the 851 CVEs that Microsoft had released in all of last year, he added.

The July bundle includes 18 "Critical"-rated patches and 105 "Important"-rated patches. There are no known active attacks associated with the July bundle, but one Important vulnerability was listed as being publicly known beforehand, namely CVE-2020-1463. It's an elevation of privilege vulnerability in the Windows SharedStream Library found in Windows 10, as well as Windows Server systems from Windows Server 2016 on up.

Wormable Vulnerability
The dreaded "wormable" term, meaning it can spread across a network, was bestowed by Microsoft and other security researchers on Critical vulnerability CVE-2020-1350, which affects all supported Windows Server products, as well as Window Server 2008. It's a remote code execution vulnerability in Windows DNS Servers that got a top "10" score on the Common Vulnerability Scoring System. Attackers just have to send a "malicious request" to Windows DNS Servers to exploit it.

Microsoft indicated that "it is essential that customers apply Windows updates to address this vulnerability as soon as possible," according to a separate Microsoft security update message on CVE-2020-1350. If patching isn't feasible, IT pros should make a Registry change, as specified in Microsoft's bulletin, as a workaround.

Childs noted that Microsoft's workaround essentially limits the size of the TCP packets, since large DNS packets are needed for an attack:

Microsoft also suggests a registry edit that limits the size of TCP packets the server will process as a workaround, but they don't list any potential side effects of that registry change. The attack vector requires very large DNS packets, so attacks cannot be conducted over UDP. Considering Windows DNS servers are usually also Domain Controllers, definitely get this patched as soon as you can.

Richard Tsang, a senior software engineer at security solutions firm Rapid7, also offered a description of the workaround via e-mail:

With caveats, Microsoft provided a Windows Registry setting workaround that effectively drops TCP-based DNS response packets exceeding 65280 bytes without reporting an error. It's recommended that if patching cycles are slow, that the workaround be applied earlier. The workaround does not need to be removed prior to patching, although it would be worthwhile to undo the workaround after patching.

Chris Hass, director of information security and research at cybersecurity firm Automox recommended applying the patch, but suggested via e-mail that the workaround was obscure enough that exploits could start to appear.

To make matters worse, Microsoft has deemed the exploitation of this vulnerability as "more likely," and considering the nature of the workaround steps Microsoft has provided if a patch cannot be applied right away, we predict that we will see this vulnerability exploited in the wild soon. The only good news is that this is not a vulnerability in the DNS protocol but limited to Microsoft's DNS server implementation of it; however, this implementation is widespread, especially in larger organizations.

Other Notable Critical Vulnerabilities
Childs noted that Microsoft included a rare Critical elevation of privilege vulnerability in this month's patch bundle, namely, CVE-2020-1025. It's associated with the mishandling of OAuth token validation process in Microsoft SharePoint Server and Skype for Business Server, which could let an attacker "bypass authentication and achieve improper access."

"Lync servers are also impacted by this," Childs added, "so if you have one of those left around, patch and then seriously consider upgrading to something newer."

The Microsoft Outlook e-mail client has a memory handling issue that could get exploited by attackers if they send a specially crafted file or get a user to visit a malicious Web site, per the CVE-2020-1349 description. That bulletin also noted that "the Preview Pane is an attack vector for this vulnerability," so end users could get tripped up in that way, too.

Another Critical vulnerability of note is CVE-2020-1147, which is a remote code execution vulnerability in ".NET Framework, Microsoft SharePoint, and Visual Studio" that gets triggered by attackers uploading "a specially crafted document to a server." The vulnerability is present because "the software fails to check the source markup of XML file input," Microsoft's bulletin explained.

Graphics Driver Problems and Hyper-V RemoteFX
Six Critical vulnerabilities in this month's patch bundle are associated with Microsoft's Hyper-V RemoteFX vGPU. According to Cisco's Talos security blog, the issues stem for "multiple vulnerabilities in Intel's Graphics Accelerator Driver and in an AMD Radeon driver," which were discovered by Cisco Talos researchers. When those vulnerabilities get combined with the RemoteFX vGPU capability in Hyper-V, it's possible to perform a "guest-to-host escape," the researchers indicated.

In response, Microsoft "completely eliminated the RemoteFX feature as part of this month's Patch Tuesday," Cisco Talos indicated.

Microsoft provided guidance in that respect, and recommended the use of a different vGPU than its own Hyper-V RemoteFX vGPU, as noted by Tsang.

On the stranger side of things, there are patches made for CVE-2020-1032, CVE-2020-1036, CVE-2020-1040, CVE-2020-1041, CVE-2020-1042, and CVE-2020-1043 surrounding the Hyper-V RemoteFX vGPU feature on Hyper-V hosts. The worst of which would allow an attacker to execute arbitrary code on the host system. Given that RemoteFX vGPU is no longer under active development, if your environment has strict RemoteFX requirement, Microsoft has provided additional details on assisting in migrating off that feature.

Important Windows Modules Installer Issue
There's an Important vulnerability in how the Windows Modules Installer handles file operations, as described in CVE-2020-1346, which could lead to elevation of privilege attacks. The fix comes via Servicing Stack Updates, which patches the Windows Update service, but the Servicing Stack Updates need to be applied first before other patches, Microsoft's bulletin emphasized.

Security Advisory
There's one Important Security Advisory (ADV200008) concerning front-end load balancers or back-end Web proxy servers running Windows systems that could lead to tampering or retrieving information from a user's HTTP session. There's no patch for the vulnerability, but Microsoft's bulletin included a Registry workaround.

Details in Security Advisory ADV200008 were slim. Here's Microsoft's description of the attack route:

"To exploit the vulnerability against an IIS Server hosting a website, an unauthenticated attacker could send a specially crafted request to a targeted IIS Server serviced by a front-end load balancer or proxy that does not strictly adhere to RFC standards."

It's not clear from the bulletin what RFC standards should be strictly followed, though.

If that weren't enough, IT pros also are beset this month by Adobe patches and Oracle patches to apply.