The July 2020 Security Update Review
July 14, 2020 | Dustin ChildsJuly is upon us, and it brings another huge batch of security patches from Microsoft, and a few from Adobe as well. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.
Adobe Patches for July 2020
This month, Adobe released five patches covering 13 CVEs in Adobe Cold Fusion, Download Manager, Genuine Service, Media Encoder, and the Creative Cloud Desktop Application. Three of these bugs came through the ZDI program. The update for Cold Fusion covers two DLL search-order hijacking bugs that could allow a privilege escalation. The fix for Download Manager corrects a single command injection vulnerability. The patch for Media Encoder address two Out-Of-Bounds (OOB) Write and an OOB Read bug. The OOB Write bugs could lead to arbitrary code execution if an attacker convinces a target to visit a malicious page or open a malicious file. The update for the Creative Cloud Desktop Application fixes four different bugs. The most severe of these would allow an arbitrary file system write, while the others could allow a privilege escalation. Finally, the patch for Adobe Genuine Service fixes three Important-severity privilege escalation vulnerabilities. None of the bugs fixed by Adobe are listed as publicly known or under active attack at the time of release.
Updated as on July 21, 2020
Just a week after its scheduled release, Adobe published four additional patches addressing 13 CVEs in Adobe Reader Mobile, Prelude, Photoshop, and Bridge. 12 of the 13 CVEs patched were reported by ZDI Researcher Mat Powell. The update for Reader Mobile fixes an Important severity directory traversal. The patch for Prelude fixes two Out-Of-Bounds (OOB) Read and two OOB Write bugs that could lead to code execution. The Photoshop patch also corrects Critical-rated OOB Read and OOB Write flaws. Finally, the patch for Adobe Bridge fixes three additional Critical-rated OOB Read and Write bugs. None of the bugs addressed today are listed as publicly known or under active attack at the time of release.
Microsoft Patches for July 2020
For July, Microsoft released patches for 123 CVEs and one advisory covering Microsoft Windows, Edge (EdgeHTML-based and Chromium-based) in IE Mode, ChakraCore, Internet Explorer (IE), Office and Office Services and Web Apps, Windows Defender, Skype for Business, Visual Studio, .NET Framework, OneDrive, Azure DevOp, and Open Source Software. That makes five straight months of 110+ CVEs released and brings the total for 2020 up to 742. For comparison, Microsoft released patches for 851 CVEs in all of 2019. At this pace, Microsoft will eclipse that number next month. They have already passed their totals for 2017 (665) and 2018 (691).
Of these 123 patches, 18 are listed as Critical and 105 are listed as Important in severity. Seven of these bugs came through the ZDI program. None of these bugs are listed as being under attack at the time of release, while one CVE is listed as publicly known. Let’s take a closer look at some of the more interesting updates for this month, starting with a highly exploitable bug in Windows DNS servers:
- CVE-2020-1350 - Windows DNS Server Remote Code Execution Vulnerability
This patch fixes a CVSS 10 rated bug in the Windows DNS Server service that could allow unauthenticated code execution at the level of Local System account if an affected system received a specially crafted request. That makes this bug wormable – at least between affected DNS servers. Microsoft also suggests a registry edit that limits the size of TCP packets the server will process as a workaround, but they don’t list any potential side effects of that registry change. The attack vector requires very large DNS packets, so attacks cannot be conducted over UDP. Considering Windows DNS servers are usually also Domain Controllers, definitely get this patched as soon as you can.
- CVE-2020-1025 - Microsoft Office Elevation of Privilege Vulnerability
It’s rare to see an Elevation of Privilege (EoP) bug rated Critical in severity, but this vulnerability in SharePoint and Skype for Business servers certainly earns its rating. An attacker could use this to gain access to an affected server through the improper handling of an OAuth token. Lync servers are also impacted by this, so if you have one of those left around, patch and then seriously consider upgrading to something newer.
- CVE-2020-1147 - .NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability
A problem with the way XML source markup is checked could lead to RCE in .NET, SharePoint, and Visual Studio. This also seems to be related to CVE-2020-1439, as both list the core problem residing in the “DataSet” and “DataTable” types which are .NET components used to manage data sets. Either way, all patches are needed to fully address this bug, and that could make servicing difficult. At least it appears the patches may be installed in any order.
- CVE-2020-1349 - Microsoft Outlook Remote Code Execution Vulnerability
This patch fixes a bug in Outlook that could allow an attacker to execute code at the level of the logged-on user if they open or view a specially crafted e-mail. What sets this vulnerability apart is the fact that just viewing the e-mail in the Preview Pane is enough to trigger the bug.
Here’s the full list of CVEs released by Microsoft for July 2020.
| CVE | Title | Severity | Public | Exploited | XI - Latest | XI - Older | Type |
| CVE-2020-1463 | Windows SharedStream Library Elevation of Privilege Vulnerability | Important | Yes | No | 2 | 2 | EoP |
| CVE-2020-1147 | .NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2020-1409 | DirectWrite Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2020-1435 | GDI+ Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2020-1032 | Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2020-1036 | Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2020-1040 | Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2020-1041 | Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2020-1042 | Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2020-1043 | Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2020-1421 | LNK Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2020-1025 | Microsoft Office Elevation of Privilege Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2020-1349 | Microsoft Outlook Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2020-1439 | PerformancePoint Services Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2020-1374 | Remote Desktop Client Remote Code Execution Vulnerability | Critical | No | No | 1 | 1 | RCE |
| CVE-2020-1403 | VBScript Remote Code Execution Vulnerability | Critical | No | No | 1 | 1 | RCE |
| CVE-2020-1410 | Window Address Book Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2020-1350 | Windows DNS Server Remote Code Execution Vulnerability | Critical | No | No | 1 | 1 | RCE |
| CVE-2020-1436 | Windows Font Library Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2020-1469 | Bond Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
| CVE-2020-1333 | Group Policy Services Policy Processing Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1400 | Jet Database Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2020-1401 | Jet Database Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2020-1407 | Jet Database Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2020-1267 | Local Security Authority Subsystem Service Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
| CVE-2020-1461 | Microsoft Defender Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1433 | Microsoft Edge Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-1240 | Microsoft Excel Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2020-1351 | Microsoft Graphics Component Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-1412 | Microsoft Graphics Components Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2020-1408 | Microsoft Graphics Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2020-1342 | Microsoft Office Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-1445 | Microsoft Office Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-1458 | Microsoft Office Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2020-1450 | Microsoft Office SharePoint XSS Vulnerability | Important | No | No | 2 | 2 | XSS |
| CVE-2020-1451 | Microsoft Office SharePoint XSS Vulnerability | Important | No | No | 2 | 2 | XSS |
| CVE-2020-1456 | Microsoft Office SharePoint XSS Vulnerability | Important | No | No | 2 | 2 | XSS |
| CVE-2020-1465 | Microsoft OneDrive Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1449 | Microsoft Project Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2020-1454 | Microsoft SharePoint Reflective XSS Vulnerability | Important | No | No | 2 | 2 | XSS |
| CVE-2020-1444 | Microsoft SharePoint Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2020-1443 | Microsoft SharePoint Spoofing Vulnerability | Important | No | No | 2 | 2 | Spoof |
| CVE-2020-1446 | Microsoft Word Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2020-1447 | Microsoft Word Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2020-1448 | Microsoft Word Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2020-1442 | Office Web Apps XSS Vulnerability | Important | No | No | 2 | 2 | XSS |
| CVE-2020-1462 | Skype for Business and Microsoft Edge (EdgeHTML-based) Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-1432 | Skype for Business via Internet Explorer Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-1326 | Team Foundation Server Cross-site Scripting Vulnerability | Important | No | No | 2 | 2 | XSS |
| CVE-2020-1416 | Visual Studio Code Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1481 | Visual Studio Code Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2020-1402 | Windows ActiveX Installer Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1391 | Windows Agent Activation Runtime Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-1396 | Windows ALPC Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1431 | Windows AppX Deployment Extensions Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1359 | Windows CNG Key Isolation Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1384 | Windows CNG Key Isolation Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1375 | Windows COM Server Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1368 | Windows Credential Enrollment Manager Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1385 | Windows Credential Picker Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1393 | Windows Diagnostics Hub Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1418 | Windows Diagnostics Hub Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1388 | Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1392 | Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1394 | Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1395 | Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1420 | Windows Error Reporting Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-1429 | Windows Error Reporting Manager Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1365 | Windows Event Logging Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1371 | Windows Event Logging Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1386 | Windows Feedback Hub Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-1355 | Windows Font Driver Host Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2020-1085 | Windows Function Discovery Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1468 | Windows GDI Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-1381 | Windows Graphics Component Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
| CVE-2020-1382 | Windows Graphics Component Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
| CVE-2020-1397 | Windows Imaging Component Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-1356 | Windows iSCSI Target Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1336 | Windows Kernel Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1411 | Windows Kernel Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1367 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1389 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1419 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1426 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 1 | 1 | EoP |
| CVE-2020-1398 | Windows Lockscreen Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1372 | Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1405 | Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1330 | Windows Mobile Device Management Diagnostics Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-1346 | Windows Modules Installer Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1373 | Windows Network Connections Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1390 | Windows Network Connections Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1427 | Windows Network Connections Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1428 | Windows Network Connections Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1438 | Windows Network Connections Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1406 | Windows Network List Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1437 | Windows Network Location Awareness Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1363 | Windows Picker Platform Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1366 | Windows Print Workflow Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1360 | Windows Profile Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1387 | Windows Push Notification Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1358 | Windows Resource Policy Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-1249 | Windows Runtime Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1353 | Windows Runtime Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1370 | Windows Runtime Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1399 | Windows Runtime Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
| CVE-2020-1404 | Windows Runtime Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1413 | Windows Runtime Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1414 | Windows Runtime Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1415 | Windows Runtime Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1422 | Windows Runtime Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1347 | Windows Storage Services Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1423 | Windows Subsystem for Linux Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1434 | Windows Sync Host Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1357 | Windows System Events Broker Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1424 | Windows Update Stack Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1354 | Windows UPnP Device Host Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1430 | Windows UPnP Device Host Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1352 | Windows USO Core Worker Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1364 | Windows Wallet Service Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
| CVE-2020-1361 | Windows Wallet Service Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2020-1344 | Windows WalletService Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1362 | Windows WalletService Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2020-1369 | Windows WalletService Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
Of the remaining Critical-rated patches, we find another patch for LNK files. Considering this is the fourth one this year to be addressed, it seems likely one of the first three didn’t completely resolve the underlying vulnerability. Speaking of familiar bugs, there is another patch for RDP, but this one is only for the client side. While not wormable, an attacker could still get RCE on a target system if an affected system logged in to a malicious server. There are six CVEs affecting Hyper-V, but there are no actual patches to fix the bug. The vulnerabilities all reside in the RemoteFX vGPU, which is no longer supported. The update provided simply removes RemoteFX. The remaining Critical-rated bugs affect different components, but all require either opening a crafted object or browsing to a malicious website.
The majority of this release concerns EoP bugs. These include a bug in the Windows SharedStream Library that is listed as publicly known. Although many different components are receiving patches, the exploit scenario is nearly identical. A local, authenticated attacker runs a specially crafted program to gain additional privileges. One thing to note is the July 2020 Servicing Stack Updates (SSUs) must be installed before patches for the Windows Modules Installer. The patches for the Mobile Device Management (MDM) Diagnostics don’t allow for code execution but could allow attackers to delete files they shouldn’t be able to access. There’s also a wrinkle in the update for Visual Studio. Instead of running a program, an attacker would need to place a file on the system then wait for the user to launch Visual Studio. The patches for Windows Defender should have already been applied to your systems as the engine updates as needed. If you have systems disconnected from the Internet, you’ll need to apply these patches by hand. EoP bugs submitted during the Spring Pwn2Own contest are also receiving patches this month.
There are 14 Important-rated RCEs getting fixes this month as well. For the most part, these need some form of user interaction, such as opening a file or browsing to a website. Those bugs that allow code execution by browsing to a website should be prioritized, as those could also be triggered by a malicious ad on an otherwise harmless site.
There are also 14 information disclosure bugs getting patched this month. For the most part, only uninitialized memory or memory layout is disclosed. For CVE-2020-1391, the write-up mentions disclosing “sensitive information,” but offers no clue as to what type of sensitive information that may be. There are two patches for Skype for Business that could disclose Skype profile data or other PII of the user. The patch for CVE-2020-1330 fixes a bug in the MDM Diagnostics that could allow an attacker to read from the file system. It’s not clear if the entire file system is open or only specific parts.
The release is rounded out with patches for a few cross-site scripting bugs and Denial-of-Service (DoS) bugs. Included in the DoS bugs is a new version of the .NET implementation of Bond. It’s strange to see Microsoft patches for open source software, but it’s a welcome event.
Looking at the advisories for July, the first is Microsoft’s Guidance for Enabling Request Smuggling Filter on IIS Servers (ADV200008). Failure to strictly adhere to the RFC could allow an unauthenticated attacker to tamper with requests and responses on an IIS website if they sent a specially crafted request to an affected IIS site serviced by a front-end load balancer or proxy. If you’re using a front-end load balancer or proxy, you should review the advisory to ensure malformed requests are not being passed to back-end servers. The other is the update to the Windows Servicing Stack, which adds updates for all supported versions of Windows.
Looking Ahead
The next Patch Tuesday falls on August 11, and we’ll return with details and patch analysis then. Until then, stay safe, enjoy your patching, and may all your reboots be smooth and clean!