July 2020 Monthly Patch Release

Published on 15 Jul 2020

Updated on 15 Jul 2020

Microsoft has released security patches to address multiple vulnerabilities in their software and products.

The vulnerabilities that have been classified as Critical in severity are listed in the table below.

For the full list of security patches released by Microsoft, please refer to https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Jul

CRITICAL VULNERABILITIES
CVE Number Description Base Score Reference
CVE-2020-1350

A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.

To exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server.

The update addresses the vulnerability by modifying how Windows DNS servers handle requests.

10.0 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350

CVE-2020-1043;

CVE-2020-1042;

CVE-2020-1041;

CVE-2020-1040;

CVE-2020-1036;

CVE-2020-1032

Remote code execution vulnerabilities exist when Hyper-V RemoteFX vGPU on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerabilities, an attacker could run a specially crafted application on a guest operating system, attacking certain third-party video drivers running on the Hyper-V host. This could then cause the host operating system to execute arbitrary code.

An attacker who successfully exploited the vulnerabilities could execute arbitrary code on the host operating system.

There is no patch to fix these vulnerabilities, and the update listed will forcibly disable RemoteFX when applied. More information can be found in the FAQ below.

The software listed in the Security Updates table indicates those operating systems for which RemoteFX vGPU is currently available. RemoteFX vGPU has been deprecated in Windows Server 2019 and customers are advised to use Discrete Device Assignment (DDA) instead of RemoteFX vGPU. DDA was introduced in Windows Server 2016.

8.0

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1043

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1042

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1041

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1040

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1036

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1032

CVE-2020-1410

A remote code execution vulnerability exists when Windows Address Book (WAB) improperly processes vcard files.

To exploit the vulnerability, an attacker could send a malicious vcard that a victim opens using Windows Address Book (WAB). After successfully exploiting the vulnerability, an attacker could gain execution on a victim system.

The security update addresses the vulnerability by correcting the way Windows Address Book handles bound checking.

7.8 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1410
CVE-2020-1409

A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.

The security update addresses the vulnerability by correcting how DirectWrite handles objects in memory.

7.8 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1409
CVE-2020-1403

A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.

The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.

7.5 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1403
CVE-2020-1374

A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to have control of a server and then convince a user to connect to it. An attacker would have no way of forcing a user to connect to the malicious server, they would need to trick the user into connecting via social engineering, DNS poisoning or using a Man in the Middle (MITM) technique. An attacker could also compromise a legitimate server, host malicious code on it, and wait for the user to connect.

The update addresses the vulnerability by correcting how the Windows Remote Desktop Client handles connection requests.

7.5 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1374
CVE-2020-1421

A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The attacker could present to the user a removable drive, or remote share, that contains a malicious .LNK file and an associated malicious binary. When the user opens this drive(or remote share) in Windows Explorer, or any other application that parses the .LNK file, the malicious binary will execute code of the attacker's choice, on the target system.

The security update addresses the vulnerability by correcting the processing of shortcut LNK references.

7.5 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1421
CVE-2020-1436

A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted fonts.

For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

There are multiple ways an attacker could exploit the vulnerability:

  • In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email or Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email.
  • In a file sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit the vulnerability, and then convince users to open the document file.

The security update addresses the vulnerability by correcting how the Windows font library handles embedded fonts.

6.3 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1436
CVE-2020-1435

A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

There are multiple ways an attacker could exploit the vulnerability:

  • In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to open an email attachment or click a link in an email or instant message.
  • In a file-sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit the vulnerability, and then convince users to open the document file.

The security update addresses the vulnerability by correcting the way that the Windows GDI handles objects in the memory.

6.3 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1435
CVE-2020-1439

A remote code execution vulnerability exists in PerformancePoint Services for SharePoint Server when the software fails to check the source markup of XML file input. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the process responsible for deserialization of the XML content.

To exploit this vulnerability, an attacker could upload a specially crafted document to a server utilizing an affected product to process content.

The security update addresses the vulnerability by correcting how PerformancePoint Services validates the source markup of XML content.

TBD https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1439
CVE-2020-1349

A remote code execution vulnerability exists in Microsoft Outlook software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. For example, the file could then take actions on behalf of the logged-on user with the same permissions as the current user.

To exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Outlook software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.

Note that the Preview Pane is an attack vector for this vulnerability.

The security update addresses the vulnerability by correcting how Microsoft Outlook handles files in memory.

TBD https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1349
CVE-2020-1025

An elevation of privilege vulnerability exists when Microsoft SharePoint Server and Skype for Business Server improperly handle OAuth token validation. An attacker who successfully exploited the vulnerability could bypass authentication and achieve improper access.

To exploit this vulnerability, an attacker would need to modify the token.

The update addresses the vulnerability by modifying how Microsoft SharePoint Server and Skype for Business Server validate tokens.

TBD https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1025
CVE-2020-1147

A remote code execution vulnerability exists in .NET Framework, Microsoft SharePoint, and Visual Studio when the software fails to check the source markup of XML file input. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the process responsible for deserialization of the XML content.

To exploit this vulnerability, an attacker could upload a specially crafted document to a server utilizing an affected product to process content.

The security update addresses the vulnerability by correcting how .NET Framework, Microsoft SharePoint, and Visual Studio validates the source markup of XML content.

TBD https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147