For the fifth month in a row, Microsoft has patched over 100 CVEs, addressing 123 CVEs in the July 2020 Patch Tuesday release. Included this month is a highly critical remote code execution (RCE) vulnerability in Windows DNS Server (CVE-2020-1350).
The updates this month include patches for Microsoft Windows, Microsoft Edge, Microsoft ChakraCore, Internet Explorer, Microsoft Office, and Microsoft Office Services and Web Apps, Windows Defender, Skype for Business, Visual Studio, Microsoft OneDrive, Open Source Software, .NET Framework, and Azure DevOps.
Satnam Narang, Staff Research Engineer at Tenable comments on this month’s Patch Tuesday:
Microsoft has once again patched over 100 CVEs, addressing 123 CVEs, including 18 critical vulnerabilities. For the third month in a row, none of the vulnerabilities patched this month were exploited in the wild. The most severe vulnerability patched this month is CVE-2020-1350, a remote code execution vulnerability in the Windows Domain Name System (DNS) Server. The flaw exists due to the improper handling of requests sent to Windows DNS servers. A remote, unauthenticated attacker could exploit this vulnerability by sending a malicious request to a vulnerable Windows DNS server.
Successful exploitation would allow the attacker to execute arbitrary code under the Local System Account context. Microsoft warns that this vulnerability is “wormable,” which means it could spread without interaction between vulnerable systems via malware. Organizations are strongly encouraged to patch their systems as soon as possible to address this vulnerability, as we expect that it won’t be long before attackers begin to probe for and target vulnerable systems.