July 2020 Patch Bulletin

July 2020 Patch Bulletin

This is a huge month for MS patches with 125 unique vulnerabilities – 6 technologies with critical updates, and one publicly disclosed vulnerability.

This month we pay close attention to CVE-2020-1463(the publicly disclosed vulnerability is an elevation of privilege flaw but was not reported to be attacked in the wild) and CVE-2020-1350( a remote code execution vulnerability in DNS servers that Microsoft identifies as potentially wormable.)

CVE-2020-1463 – An elevation of privilege vulnerability exists in the way that the SharedStream Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the SharedStream Library properly handles objects in memory.

CVE-2020-1350 – A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability. To exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server. The update addresses the vulnerability by modifying how Windows DNS servers handle requests.

For additional details, please find the information from Microsoft below:

Technology Products Affected SeverityReferenceWorkaround/Exploited/ Publicly Disclosed Vulnerability Info
 
WindowsWindows 8.1, 8.1 RT, 10, Server 2012, 2012 R2, 2016, 2019Critical CVE-2020-1032
CVE-2020-1036
CVE-2020-1040
CVE-2020-1041
CVE-2020-1042
CVE-2020-1043
CVE-2020-1085
CVE-2020-1249
CVE-2020-1267
CVE-2020-1330
CVE-2020-1333
CVE-2020-1336
CVE-2020-1344
CVE-2020-1346
CVE-2020-1347
CVE-2020-1350
CVE-2020-1351
CVE-2020-1352
CVE-2020-1353
CVE-2020-1354
CVE-2020-1355
CVE-2020-1356
CVE-2020-1357
CVE-2020-1358
CVE-2020-1359
CVE-2020-1360
CVE-2020-1361
CVE-2020-1362
CVE-2020-1363
CVE-2020-1364
CVE-2020-1365
CVE-2020-1366
CVE-2020-1367
CVE-2020-1368
CVE-2020-1369
CVE-2020-1370
CVE-2020-1371
CVE-2020-1372
CVE-2020-1373
CVE-2020-1374
CVE-2020-1375
CVE-2020-1381
CVE-2020-1382
CVE-2020-1384
CVE-2020-1385
CVE-2020-1386
CVE-2020-1387
CVE-2020-1388
CVE-2020-1389
CVE-2020-1390
CVE-2020-1391
CVE-2020-1392
CVE-2020-1393
CVE-2020-1394
CVE-2020-1395
CVE-2020-1396/a>
CVE-2020-1397
CVE-2020-1398
CVE-2020-1399
CVE-2020-1400
CVE-2020-1401
CVE-2020-1402
CVE-2020-1404
CVE-2020-1405
CVE-2020-1406
CVE-2020-1407
CVE-2020-1408
CVE-2020-1409
CVE-2020-1410
CVE-2020-1411
CVE-2020-1412
CVE-2020-1413
CVE-2020-1414
CVE-2020-1415
CVE-2020-1418
CVE-2020-1419
CVE-2020-1420
CVE-2020-1421
CVE-2020-1422
CVE-2020-1423
CVE-2020-1424
CVE-2020-1425
CVE-2020-1426
CVE-2020-1427
CVE-2020-1428
CVE-2020-1429
CVE-2020-1430
CVE-2020-1431
CVE-2020-1434
CVE-2020-1435
CVE-2020-1436
CVE-2020-1437
CVE-2020-1438
CVE-2020-1441
CVE-2020-1457
CVE-2020-1463
CVE-2020-1468
Workaround: Yes
Public: Yes
Exploited: No
Elevation of Privilege
Remote Code Execution
Tampering
Denial of Service
Information Disclosure
EdgeEdgeHTML-basedImportantCVE-2020-1433
CVE-2020-1462
Workaround: No
Exploited: No
Public: No
Information Disclosure
IE11CriticalCVE-2020-1403
CVE-2020-1432
Workaround: No
Exploited: No
Public: No
Remote Code Execution
Information Disclosure
Office, Office Services, Office Web AppsOffice 2010, 2016 for Mac, 2019, 2019 for Mac
Office Web Apps 2010, 2013, 365
Outlook/Word 2010, 2013, 2016
SharePoint Enterprise Server 2013, 2016
SharePoint Foundation 2013
SharePoint Server 2010, 2019
CriticalCVE-2020-1025
CVE-2020-1147
CVE-2020-1240
CVE-2020-1342
CVE-2020-1349
CVE-2020-1409
CVE-2020-1439
CVE-2020-1442
CVE-2020-1443
CVE-2020-1444
CVE-2020-1445
CVE-2020-1446
CVE-2020-1447
CVE-2020-1448
CVE-2020-1449
CVE-2020-1450
CVE-2020-1451
CVE-2020-1454
CVE-2020-1456
CVE-2020-1458
CVE-2020-1465
Workaround: No
Exploited: No
Public: No
Elevation of Privilege
Remote Code Execution
Spoofing
Information Disclosure
DefenderAllImportantCVE-2020-1461Workaround: No
Exploited: No
Public: No
Elevation of Privilege
Skype for Business2015, 2019CriticalCVE-2020-1025Workaround: No
Exploited: No
Public: No
Elevation of Privilege
Visual Studio2015, 2017, 2019, Code, Code ESLint extensionCriticalCVE-2020-1147
CVE-2020-1393
CVE-2020-1416
CVE-2020-1481
Workaround: No
Exploited: No
Public: No
Elevation of Privilege
Remote Code Execution
OneDriveOneDrive for WindowsImportantCVE-2020-1465Workaround: No
Exploited: No
Public: No
Elevation of Privilege
.NET Framework.NET Core 2.1, 3.1

.NET Framework 2.0, 3.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8
CriticalCVE-2020-1147Workaround: No
Exploited: No
Public: No
Remote Code Execution
Azure DevOpsDevOps Server 2019 Storage ExplorerImportantCVE-2020-1326
CVE-2020-1416
Workaround: No
Exploited: No
Public: No
Elevation of Privilege
Spoofing

In case of any questions or clarifications please feel free to reach out to ECHO’s Service Desk.