1. Cybersecurity >
  2. Hacker >
  3. The July 2020 Security Update Review

ArabicEnglishFrenchGermanGreekItalianJapaneseKoreanPersianPolishPortugueseRussianSpanishTurkishVietnamese

The July 2020 Security Update Review


Hacking vom | Direktlink: thezdi.com Nachrichten Bewertung

July is upon us, and it brings another huge batch of security patches from Microsoft, and a few from Adobe as well. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.

Adobe Patches for July 2020

This month, Adobe released five patches covering 13 CVEs in Adobe Cold Fusion, Download Manager, Genuine Service, Media Encoder, and the Creative Cloud Desktop Application. Three of these bugs came through the ZDI program. The update for Cold Fusion covers two DLL search-order hijacking bugs that could allow a privilege escalation. The fix for Download Manager corrects a single command injection vulnerability. The patch for Media Encoder address two Out-Of-Bounds (OOB) Write and an OOB Read bug. The OOB Write bugs could lead to arbitrary code execution if an attacker convinces a target to visit a malicious page or open a malicious file. The update for the Creative Cloud Desktop Application fixes four different bugs. The most severe of these would allow an arbitrary file system write, while the others could allow a privilege escalation. Finally, the patch for Adobe Genuine Service fixes three Important-severity privilege escalation vulnerabilities. None of the bugs fixed by Adobe are listed as publicly known or under active attack at the time of release.

Microsoft Patches for July 2020

For July, Microsoft released patches for 123 CVEs and one advisory covering Microsoft Windows, Edge (EdgeHTML-based and Chromium-based) in IE Mode, ChakraCore, Internet Explorer (IE), Office and Office Services and Web Apps, Windows Defender, Skype for Business, Visual Studio, .NET Framework, OneDrive, Azure DevOp, and Open Source Software. That makes five straight months of 110+ CVEs released and brings the total for 2020 up to 742. For comparison, Microsoft released patches for 851 CVEs in all of 2019. At this pace, Microsoft will eclipse that number next month. They have already passed their totals for 2017 (665) and 2018 (691).

Of these 123 patches, 18 are listed as Critical and 105 are listed as Important in severity. Seven of these bugs came through the ZDI program. None of these bugs are listed as being under attack at the time of release, while one CVE is listed as publicly known. Let’s take a closer look at some of the more interesting updates for this month, starting with a highly exploitable bug in Windows DNS servers:

-       CVE-2020-1350 - Windows DNS Server Remote Code Execution Vulnerability
This patch fixes a CVSS 10 rated bug in the Windows DNS Server service that could allow unauthenticated code execution at the level of Local System account if an affected system received a specially crafted request. That makes this bug wormable – at least between affected DNS servers. Microsoft also suggests a registry edit that limits the size of TCP packets the server will process as a workaround, but they don’t list any potential side effects of that registry change. The attack vector requires very large DNS packets, so attacks cannot be conducted over UDP. Considering Windows DNS servers are usually also Domain Controllers, definitely get this patched as soon as you can.

-       CVE-2020-1025 - Microsoft Office Elevation of Privilege Vulnerability
It’s rare to see an Elevation of Privilege (EoP) bug rated Critical in severity, but this vulnerability in SharePoint and Skype for Business servers certainly earns its rating. An attacker could use this to gain access to an affected server through the improper handling of an OAuth token. Lync servers are also impacted by this, so if you have one of those left around, patch and then seriously consider upgrading to something newer.

-       CVE-2020-1147 - .NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability
A problem with the way XML source markup is checked could lead to RCE in .NET, SharePoint, and Visual Studio. This also seems to be related to CVE-2020-1439, as both list the core problem residing in the “DataSet” and “DataTable” types which are .NET components used to manage data sets. Either way, all patches are needed to fully address this bug, and that could make servicing difficult. At least it appears the patches may be installed in any order.

-       CVE-2020-1349 - Microsoft Outlook Remote Code Execution Vulnerability
This patch fixes a bug in Outlook that could allow an attacker to execute code at the level of the logged-on user if they open or view a specially crafted e-mail. What sets this vulnerability apart is the fact that just viewing the e-mail in the Preview Pane is enough to trigger the bug.

Here’s the full list of CVEs released by Microsoft for July 2020.

CVE Title Severity Public Exploited XI - Latest XI - Older Type
CVE-2020-1463 Windows SharedStream Library Elevation of Privilege Vulnerability Important Yes No 2 2 EoP
CVE-2020-1147 .NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-1409 DirectWrite Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-1435 GDI+ Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-1032 Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-1036 Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-1040 Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-1041 Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-1042 Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-1043 Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-1421 LNK Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-1025 Microsoft Office Elevation of Privilege Vulnerability Critical No No 2 2 RCE
CVE-2020-1349 Microsoft Outlook Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-1439 PerformancePoint Services Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-1374 Remote Desktop Client Remote Code Execution Vulnerability Critical No No 1 1 RCE
CVE-2020-1403 VBScript Remote Code Execution Vulnerability Critical No No 1 1 RCE
CVE-2020-1410 Window Address Book Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-1350 Windows DNS Server Remote Code Execution Vulnerability Critical No No 1 1 RCE
CVE-2020-1436 Windows Font Library Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2020-1469 Bond Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2020-1333 Group Policy Services Policy Processing Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1400 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-1401 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-1407 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-1267 Local Security Authority Subsystem Service Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2020-1461 Microsoft Defender Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1433 Microsoft Edge Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-1240 Microsoft Excel Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-1351 Microsoft Graphics Component Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-1412 Microsoft Graphics Components Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-1408 Microsoft Graphics Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-1342 Microsoft Office Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-1445 Microsoft Office Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-1458 Microsoft Office Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-1450 Microsoft Office SharePoint XSS Vulnerability Important No No 2 2 XSS
CVE-2020-1451 Microsoft Office SharePoint XSS Vulnerability Important No No 2 2 XSS
CVE-2020-1456 Microsoft Office SharePoint XSS Vulnerability Important No No 2 2 XSS
CVE-2020-1465 Microsoft OneDrive Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1449 Microsoft Project Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-1454 Microsoft SharePoint Reflective XSS Vulnerability Important No No 2 2 XSS
CVE-2020-1444 Microsoft SharePoint Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-1443 Microsoft SharePoint Spoofing Vulnerability Important No No 2 2 Spoof
CVE-2020-1446 Microsoft Word Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-1447 Microsoft Word Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-1448 Microsoft Word Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-1442 Office Web Apps XSS Vulnerability Important No No 2 2 XSS
CVE-2020-1462 Skype for Business and Microsoft Edge (EdgeHTML-based) Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-1432 Skype for Business via Internet Explorer Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-1326 Team Foundation Server Cross-site Scripting Vulnerability Important No No 2 2 XSS
CVE-2020-1416 Visual Studio Code Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1481 Visual Studio Code Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-1402 Windows ActiveX Installer Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1391 Windows Agent Activation Runtime Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-1396 Windows ALPC Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1431 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1359 Windows CNG Key Isolation Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1384 Windows CNG Key Isolation Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1375 Windows COM Server Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1368 Windows Credential Enrollment Manager Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1385 Windows Credential Picker Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1393 Windows Diagnostics Hub Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1418 Windows Diagnostics Hub Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1388 Windows Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1392 Windows Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1394 Windows Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1395 Windows Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1420 Windows Error Reporting Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-1429 Windows Error Reporting Manager Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1365 Windows Event Logging Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1371 Windows Event Logging Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1386 Windows Feedback Hub Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-1355 Windows Font Driver Host Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2020-1085 Windows Function Discovery Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1468 Windows GDI Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-1381 Windows Graphics Component Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2020-1382 Windows Graphics Component Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2020-1397 Windows Imaging Component Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-1356 Windows iSCSI Target Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1336 Windows Kernel Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1411 Windows Kernel Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1367 Windows Kernel Information Disclosure Vulnerability Important No No 2 2 EoP
CVE-2020-1389 Windows Kernel Information Disclosure Vulnerability Important No No 2 2 EoP
CVE-2020-1419 Windows Kernel Information Disclosure Vulnerability Important No No 2 2 EoP
CVE-2020-1426 Windows Kernel Information Disclosure Vulnerability Important No No 1 1 EoP
CVE-2020-1398 Windows Lockscreen Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1372 Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1405 Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1330 Windows Mobile Device Management Diagnostics Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2020-1346 Windows Modules Installer Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1373 Windows Network Connections Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1390 Windows Network Connections Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1427 Windows Network Connections Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1428 Windows Network Connections Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1438 Windows Network Connections Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1406 Windows Network List Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1437 Windows Network Location Awareness Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1363 Windows Picker Platform Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1366 Windows Print Workflow Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1360 Windows Profile Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1387 Windows Push Notification Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2020-1358 Windows Resource Policy Information Disclosure Vulnerability Important No...
https://www.thezdi.com/blog/2020/7/14/the-july-2020-security-update-review

Externe Quelle mit kompletten Inhalt anzeigen


Zur Startseite von Team IT Security

➤ Weitere Beiträge von Team Security | IT Sicherheit

CentOS Blog: CentOS Community Newsletter, August 2019 (#1908)

vom 668.64 Punkte ic_school_black_18dp
Dear CentOS enthusiast, It's been another busy month, but better a few days late than never! If you'd like to help out with the process of putting together the newsletter, please see the Contributing section at the end. We're always looking for help! R

The July 2020 Security Update Review

vom 406.19 Punkte ic_school_black_18dp
July is upon us, and it brings another huge batch of security patches from Microsoft, and a few from Adobe as well. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.Adobe Patches for

The March 2020 Security Update Review

vom 374.11 Punkte ic_school_black_18dp
March is upon us, and it brings a bumper crop of security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.Adobe Patches for March 2020Oddly, Adobe

The June 2020 Security Update Review

vom 372.18 Punkte ic_school_black_18dp
June is here, and it brings with it a record number of security patches from Microsoft, and a few from Adobe as well. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.Adobe

The April 2020 Security Update Review

vom 370.99 Punkte ic_school_black_18dp
April is here, and it brings another cornucopia of security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.Adobe Patches for April 2020For April, Ad

The September 2020 Security Update Review

vom 370.02 Punkte ic_school_black_18dp
September is upon us and so are the latest security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of security patches for this month.Adobe Patches for September 2020Adobe rel

The August 2020 Security Update Review

vom 368.2 Punkte ic_school_black_18dp
August is here and so is the latest batch of security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of security patches for this month.Adobe Patches for August 2020The Adobe re

The May 2020 Security Update Review

vom 366.73 Punkte ic_school_black_18dp
May is upon us, and with it brings another bumper crop of security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.Adobe Patches for May 2020The Adobe updat

The February 2020 Security Update Review

vom 364.42 Punkte ic_school_black_18dp
February is here, and with it comes some significant security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month. Adobe Patches for February 2020The Adobe

The October 2020 Security Update Review

vom 329.04 Punkte ic_school_black_18dp
October is here and with it comes the latest security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of security patches for this month.Adobe Patches for October 2020Adobe relea

Movierulz 2020 | Download Watch Telugu Bollywood and Hollywood Full Movies Online Free

vom 249.92 Punkte ic_school_black_18dp
Movierulz - Download watch latest Bollywood Hollywood Hindi English Telugu Tamil Malayalam Dubbed Kannada Marathi Punjabi movies online free movierulz torrent8Movierulz.ws- Download Watch Telugu Bollywood and Hollywood Full Movies Online FreeThe torre

CentOS Blog: CentOS Community newsletter, April 2020 (#2004)

vom 245.39 Punkte ic_school_black_18dp
Dear CentOS enthusiast, I hope you are all well. I know that this is a very difficult time for all of you, and that you likely have other things on your mind than CentOS, so I'll try to make it interesting this month. In this edition: News Releases and updates Event

Team Security Diskussion über The July 2020 Security Update Review