July 2020 Patch Tuesday

This month Microsoft patched 123 vulnerabilities, 18 of which are rated “Critical” by Microsoft. None of the vulnerabilities have been exploited in the wild.

Windows Server DNS

The most severe bug patched this month is in Windows Server DNS. The bug received a perfect 10 CVSS rating due to its ease of exploit and severity. The Check Point researchers who discovered the vulnerability claim that the vulnerability can easily be weaponized into a self-propagating worm malware.

RemoteFx vGPU component of Hyper-V

RemoteFx vGPU is a component of Hyper-V that utilizes a physical GPU for multiple virtual machines. This update not only patches RemoteFx, but also disables the use of RemoteFx. Virtual Machines dependent on RemoteFx will fail to boot after the update. Microsoft claims this vulnerability is “Unlikely for Exploitation”, but decided to hamstring everyone’s virtual machines using this technology without warning. An attacker exploiting this vulnerability would be able to execute code on the host system from a compromised guest. It is worth mentioning that RemoteFx vGPU has been deprecated in Windows Server 2019 and customers are advised to use Discrete Device Assignment instead.

Microsoft Office

Microsoft Office products got their usual attention this month. Word received the most fixes, with three vulnerabilities patched. Attackers exploiting these vulnerabilities would be able to execute code within the security context of the current user. This once again reminds us to exercise the principle of least privilege.

Microsoft Graphics Various Windows graphics components were updated this month. Attackers leveraging these vulnerabilities would be able to glean sensitive information from system memory, execute code remotely with system privileges, or elevate privileges on a compromised device. Microsoft rates these vulnerabilities as Critical.

LNK Files

LNK files are back again with a remote code execution vulnerability. These files are particularly dangerous when mishandled because they are automatically executed whenever removable media (flash drives, external hard drives, etc) are connected to a Windows machine. An attacker attaching a flash drive with this maliciously crafted file would be able to execute code within the security context of the current user. This would allow them to potentially take over the system if the computer was logged in to an administrator account.