Welcome to July’s Patch Tuesday breakdown.
For this month’s Patch Tuesday, Microsoft has released a patch for a wormable vulnerability which received a CVSS rating of 10.0 -- the highest severity rating. July’s update features patches for 123 vulnerabilities, with a total of 18 rated critical. Earlier in July, Microsoft also released an emergency disclosure and two patches for critical vulnerabilities.
Adobe has also released security updates to address a number of critical vulnerabilities across five of its platforms. This month, Mozilla has also released patches for Thunderbird and Firefox.
July’s Patch Tuesday update continues the trend of massive patching workloads, with Microsoft releasing over 100 updates each month for the last five months. For many system admins, there is a real struggle to keep up with the latest security updates, especially given recent changes in workforce dynamics and continued reliance on outdated endpoint management tools. The rise of remote work is here to stay and endpoint management protocols need to keep up with the pace, as staying up to date with the latest patches is as important as ever, if not more-so.
See last month’s breakdown for coverage of June’s Patch Tuesday release.
Microsoft Patches Critical DNS Vulnerability
For July, Microsoft has released a patch for a critical vulnerability, CVE-2020-1350, also nicknamed “SigRed.” This is a wormable remote code execution vulnerability which received the highest CVSS rating of 10, a rare feat. Experts are saying that this could be the most critical vulnerability Microsoft will address this year and Microsoft itself is advising that Windows administrators should prioritize patching for SigRed.
Attackers can exploit this vulnerability by sending specially crafted packets to a vulnerable Windows DNS Server and running arbitrary code within the context of the Local System account. This will give an attacker full control of the system, as well as giving them the ability to leverage the server as a distribution point -- allowing the malicious actor to spread malware between systems without any need for user interaction. The wormable capacity of SigRed greatly increases its severity and potential impact; with this vulnerability, attackers can write ransomware similar to the likes of WannaCry and NotPetya. Microsoft ranks exploitation for this vulnerability as “more likely,” as well -- which means it will be an attractive target for attackers.
DNS is a critical service for most any enterprise, but experts caution that allowing SigRed to remain unpatched to avoid disruptions to daily operations will leave organizations vulnerable to a very serious and exploitable threat.
“With ransomware attacks continuing to rise during the COVID pandemic, this wormable vulnerability could be just what attackers needed to fully compromise an organization; this patch is not one to sleep on,” says Chris Hass, Director of Information Security and Research at Automox.
Managing endpoints during the rise of remote work has made the process of securing endpoints and deploying patches more challenging than ever. Current estimates suggest that it can take organizations over 100 days just to deploy a single patch, while attackers can weaponize a newly disclosed vulnerability in under a week. Closing the gap between time-to-weaponize and time-to-patch is critical to securing your attack surface, including remote devices. Employing an automated endpoint management tool can help organizations increase their patching speeds and better secure their endpoints.
More Critical Updates From Microsoft
This month, Microsoft released fixes for 123 vulnerabilities, 18 of which are rated critical. In addition to SigRed, these include:
- CVE-2020-1025
- CVE-2020-1032
- CVE-2020-1036
- CVE-2020-1040
- CVE-2020-1041
- CVE-2020-1042
- CVE-2020-1043
- CVE-2020-1147
- CVE-2020-1349
- CVE-2020-1374
- CVE-2020-1403
- CVE-2020-1409
- CVE-2020-1410
- CVE-2020-1421
- CVE-2020-1435
- CVE-2020-1436
- CVE-2020-1439
Many of the security updates for July are fixes for remote code execution vulnerabilities; these kinds of vulnerabilities give attackers access to a system, the ability to read or delete data, make changes and run code on the target system. In addition to access to an organization’s data, a remote code execution attack can pave the way for attackers to engage in malicious activity with other devices in the target environment.
In this month’s update, Microsoft included fixes for six remote code execution vulnerabilities found in HyperV RemoteFX vGPU. The vulnerability exists when HyperV fails to properly validate input from an authenticated user on a guest operating system. There are no patches for these six vulnerabilities and instead the update will disable RemoteFX when applied.
CVE-2020-1349, -1410, -1374, and -1436 are all remote code execution vulnerabilities impacting Skype, Office, Outlook, and Remote Desktop Client. Additionally, CVE-2020-1147, -1421, and -1403 are remote code execution vulnerabilities in Windows .NET framework, LNK, and VBScript -- three very common services in Windows setups. Successful exploitation of these vulnerabilities can allow attackers to gain access to data, install new programs, create new user accounts and potentially run other malicious code within the environment.
Another critical vulnerability this month is CVE-2020-1025 is an elevation of privilege vulnerability impacting Microsoft Lync Server, Sharepoint 2016 to 2019, and Skype for Business Server 2015 and 2019. Successful exploitation could allow for bypassing OAuth token validation, providing malicious actors with access to a victim machine.
Other Updates For July
This month, Adobe has released fixes for vulnerabilities found across five of their platforms. Of the updates released, four are considered critical and the rest are ranked as important. A majority of the important vulnerabilities involve privilege escalation, while the critically rated bugs are more severe.
Three critical advisories (CVE-2020-9688, -9646, and -9650) for Adobe Download Manager and Media Encoder address critical vulnerabilities linked to arbitrary code execution, while a fourth critical vulnerability (CVE-2020-9682) involves Creative Cloud Desktop.
Mozilla has also released several critical and important fixes for bugs in several versions of Firefox web browser, as well as its Thunderbird email client.
Between the sheer volume of patches this month and the necessity of patching for SigRed as quickly as possible, system administrators will be more than busy. Trying to stay ahead of the latest threats has become an enormous task, especially given the sudden changes in the workplace so many organizations have implemented. Entire workforces are going remote in light of the COVID-19 pandemic, and many enterprises predict these changes will be kept for the long-term. Organizations may need to adapt their endpoint management routines to ensure remote devices are properly secured and are receiving critical patches in a timely manner.
About Automox Automated Patch Management
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, macOS, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.
