For this month of July, Microsoft has released a salvo of 123 bug fixes, of which 18 have been critical class including that affecting Windows DNS Server allowing the execution of remote code to control systems.
A good batch of patches for this month of July 2020 from Microsoft. For its Patch Tuesday, 123 patches were offered by the Redmond company, marking a 5th consecutive month with more than 110 CVE filled, including 18 classified as critical. Many services and applications are affected, including Windows, Edge, ChakraCore, Internet Explorer, Office Services and Web Apps, Windows Defender, Skype for Business, Visual Studio, .NET Framework, OneDrive, Azure DevOp and Open Source Software. No flaw patched by Microsoft is currently exploited, which in itself is good news. However, one of the corrected CVEs draws particular attention and requires the responsiveness of the IT and security teams. This is the CVE-2020-1350 which allows the execution of malicious remote code in Windows DNS Server.
“This fix fixes a bug evaluated CVSS 10 in the Windows DNS Server service which could allow the execution of unauthenticated code at the local system account level if an affected system received a specific request”, explain the researchers of the Zero Day Initiative. All versions of Windows are affected. One of the main problems with this flaw is using it to spread a worm through infected machines without human intervention. A buffer overflow triggered by a malicious DNS request can thus allow an attacker to take control of a system and perform various actions (interception and manipulation of e-mails, collection of identification information …) .
Malicious code executed by simply viewing a trapped email
In addition to this DNS Server flaw, the July 2020 Tuesday Patch addresses the CVE-2020-1025 presenting a risk of privilege escalation in Office (Sharepoint and Skype for Business), or the CVE-2020-1349 concerning Outlook. “This fix fixes a bug in Outlook which could allow an attacker to execute code at the level of the logged in user if he opened or viewed a specifically trapped email. What sets this vulnerability apart is the fact that just viewing email in the viewing pane is enough to trigger the bug, “says the Zero Day Initiative.