Overview
Microsoft released July 2020 security updates on Tuesday that fix 124 vulnerabilities ranging from simple spoofing attacks to remote code execution in various products, including .NET Framework, Azure DevOps, Internet Explorer, Microsoft Edge, Microsoft Graphics Component, Microsoft JET Database Engine, Microsoft Malware Protection Engine, Microsoft Office, Microsoft Office SharePoint, Microsoft OneDrive, Microsoft Scripting Engine, Microsoft Windows, Open Source Software, Skype for Business, Visual Studio, Windows Hyper-V, Windows IIS, Windows Kernel, Windows Shell, Windows Subsystem for Linux, Windows Update Stack, and Windows WalletService.
Description of Critical and Important Vulnerabilities
This time, Microsoft fixes 16 critical vulnerabilities and 104 important vulnerabilities. Although the vulnerabilities disclosed this month have not been reported to be exploited, all users are advised to install updates without delay:
- Microsoft Windows DNS Server Remote Code Execution Vulnerability SigRed (CVE-2020-1350)
The severest vulnerability fixed this month is a wormable Windows DNS server vulnerability called SigRed (CVE-2020-1350).
According to Microsoft, the CVSS base score of this vulnerability is 10 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).
An unauthenticated attacker could exploit the vulnerability by sending crafted request data packets to the affected server, thus causing the target system to execute arbitrary code.
- Hyper-V RemoteFX vGPU Remote Code Execution Vulnerabilities (CVE-2020-1041, CVE-2020-1040, CVE-2020-1032, CVE-2020-1036, CVE-2020-1042, CVE-2020-1043)
Remote code execution vulnerabilities exist when Hyper-V RemoteFX vGPU on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit these vulnerabilities, an attacker could run a specially crafted application on a guest operating system, attacking certain third-party video drivers running on the Hyper-V host. This could then cause the host operating system to execute arbitrary code.
The vendor has released no patch for the preceding vulnerabilities and explained why it planned to disable and remove RemoteFX instead of fixing the vulnerabilities as follows:
In October 2019, Microsoft announced that it was stopping developing or adding features to Remote FX. For Windows 10 version 1809 and later, and Windows Server 2019, RemoteFX vGPU is no longer supported or actively developed. Since these newly identified vulnerabilities are architectural in nature, and the feature is already deprecated on newer versions of Windows, Microsoft has determined that disabling and removing RemoteFX is a better course of action.
For more information, see Microsoft’s security bulletins from the following links:
- Microsoft Word Remote Code Execution Vulnerabilities (CVE-2020-1446, CVE-2020-1447, CVE-2020-1448)
Remote code execution vulnerabilities exist in Microsoft Word software when it fails to properly handle objects in memory. To exploit these vulnerabilities, an attacker may rely on various ways to induce the user to open a specially crafted file with Microsoft Word software.
An attacker who successfully exploited the vulnerabilities could perform actions in the context of the current user.
- Microsoft Excel Remote Code Execution Vulnerability (CVE-2020-1240)
A remote code execution vulnerability exists in Microsoft Excel software when it fails to properly handle objects in memory. To exploit the vulnerability, an attacker may rely on various ways to induce the user to open a specially crafted file with an affected version of Microsoft Excel.
An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.
- Microsoft Outlook Remote Code Execution Vulnerability (CVE-2020-1349)
A remote code execution vulnerability exists in Microsoft Outlook software. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the context of the current user. To exploit the vulnerability, an attacker may induce the user to open a specially crafted file with an affected version of Microsoft Outlook software.
Note that the Preview Pane is an attack vector for this vulnerability.
- Windows LNK Remote Code Execution Vulnerability (CVE-2020-1421)
A remote code execution vulnerability exists in Microsoft Windows. The attacker could present to the user a removable drive, or remote share, which contains a malicious .LNK file and an associated malicious binary. When the user opens this drive (or remote share) in Windows Explorer, or any other application that parses the .LNK file, the malicious binary will execute arbitrary code on the target system.
- Remote Desktop Client Remote Code Execution Vulnerability (CVE-2020-1374)
A remote code execution vulnerability exists in the Windows Remote Desktop Client. An attacker who successfully exploited this vulnerability could execute arbitrary code on the client computer connected to a malicious server.
To exploit this vulnerability, an attacker would have control of a malicious server and then trick the user into connecting to the server via various ways such as social engineering and DNS poisoning.
A privilege escalation vulnerability exists when Microsoft SharePoint Server and Skype for Business Server improperly handle OAuth token validation. An attacker who successfully exploited the vulnerability could bypass authentication and achieve improper access.
To exploit this vulnerability, an attacker would need to modify the token.
- .NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability (CVE-2020-1147)
A remote code execution vulnerability exists in .NET Framework, Microsoft SharePoint, and Visual Studio when the software fails to check the source markup of XML file input. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the process responsible for deserialization of the XML content.
Affected Software
The following tables list the affected software details for the vulnerability.
CVE-2020-1481 | ||||||
Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
Microsoft Visual Studio Code ESLint extension | Release Notes Security Update | Important | Remote Code Execution | Base: N/A Temporal: N/A Vector: N/A | Maybe |
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).
A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.
Download: