LackyVis - stock.adobe.com

Patch Tuesday: Microsoft fixes 123 bugs in July 2020 update

The bugs start coming and they don’t stop coming; Microsoft has issued yet another bumper Patch Tuesday update

Microsoft has once again issued another large Patch Tuesday update, addressing a total of 123 vulnerabilities, including 18 critical vulnerabilities in Hyper-V, DNS Server, PerformancePoint, SharePoint Server, Office, Outlook and Remote Desktop. The update includes an unusually high number of remote code execution exploits that will keep both security teams and cyber criminals busy for days.

As already reported by Computer Weekly, probably the most serious vulnerability is CVE-2020-1350 or SigRed, a wormable remote code execution vulnerability in Windows DNS Server, which is exceptionally dangerous.

Chris Hass, director of information security and research at Automox, described SigRed as an “attacker’s dream”.

“An unauthenticated hacker could send specially crafted packets to the vulnerable Windows DNS Server to exploit the machine, allowing for arbitrary code to be run in the context of the Local System account,” he said. “Not only will the attacker have full control of the system, but they will also be able to leverage the server as a distribution point, allowing the attacker to spread malware between systems without any user interaction.

“This wormable capability adds a whole other layer of severity and impact, allowing malware authors to write ransomware similar to notable wormable malware such as WannaCry and NotPetya,” said Hass.

To make matters worse, Microsoft has said the exploitation of this vulnerability is more likely, and if for some reason the patch cannot be applied right away, it will inevitably be exploited in the near future.

Redmond has provided a Windows Registry setting workaround that according to Rapid7’s Richard Tsang, effectively drops TCP-based DNS response packets exceeding 65,270 bytes without reporting an error. “It’s recommended that if patching cycles are slow, that the workaround be applied earlier. The workaround does not need to be removed prior to patching, although it would be worthwhile to undo the workaround after patching,” said Tsang.

Read more about Patch Tuesday

Automox’s Hass said that while DNS was a critical service and taking it down to apply patches would heavily impact productivity, the alternative was leaving yourself open to a devastating cyber attack.

“With ransomware attacks continuing to rise during the Covid-19 pandemic, this wormable vulnerability could be just what attackers needed to fully compromise an organisation; this patch is not one to sleep on,” he said.

“We expect to see exploits for this particular vulnerability emerge in the next week – potentially faster, and that it will be widely exploited. The vulnerability only requires that the server make a request to another malicious server, so this will affect most organisations running Microsoft's DNS server,” said Jonathan Cran, head of research at Kenna Security.

“In short, patch this high-risk vulnerability now. Applying the patch or implementing the mitigation provided by Microsoft and rebooting is the best guidance we have available at this time.”

Other remote code execution vulnerabilities patched this month include CVEs 2020-1147, -1421, and -1403, which affect Windows .NET framework, LNK and VBScript respectively, all highly common services amongst Windows operating services. This commonality means that adversaries could have the ability to launch an attack that is very broad in its scope.

Downtime expected

Jay Goodman, strategic product marketing manager at Automox, said the latest patch would further strain VPN infrastructure and warned that many organisations would likely see some downtime from on-premise patch management tools buckling under the pressure.

“VPNs are not designed to extend the IT perimeter and with a large number of remote employees and devices, we are facing a situation where there is no functional perimeter for your organisation,” he said.

“Some organisations are attempting to quickly address this by expanding their VPN capacities, but doubling down on VPN and legacy on-premise endpoint management solutions would be a knee-jerk reaction that does not take into consideration the long term cost efficiencies of embracing a digital transformation to the cloud.”

Other suppliers dropping their latest patches this week include Oracle, Adobe and Google, according to Ivanti senior product manager Todd Schell.

“Oracle Java SE is going to resolve 11 vulnerabilities all of which are remotely exploitable without authentication. Highest CVSS v3.1 base score is 8.3. Fusion Middleware is resolving 53 CVEs, 49 of which may be remotely exploited without authentication. Highest CVSS v3.1 base score is 9.8. MySQL is resolving 40 vulnerabilities, six of which may be remotely exploited without authentication. Highest CVSS v3.1 base score is 9.8,” he said.

“Adobe released five bulletins today, but only one included a critical vulnerability. Adobe Creative Cloud Desktop Application resolved four CVEs including CVE-2020-9682, which was rated as critical. Flash Player did release today, but no CVEs were reported in this release.

“Google also decided to join the party with a Google Chrome update resolving 38 vulnerabilities including at least one critical and many high CVEs,” said Schell. “From a third-party perspective, you should look to update Chrome and Java as high priority items this month.”

Read more on Application security and coding requirements