This month’s Microsoft Patch Tuesday addresses 123 vulnerabilities with 18 of them labeled as Critical. The 18 Critical vulnerabilities cover Hyper-V, DNS Server, PerformancePoint, SharePoint Server, Office, Outlook, Remote Desktop, and several other workstation vulnerabilities. Adobe issued patches today for Download Manager, Media Encoder, Genuine Service, ColdFusion, and Creative Cloud.
Today’s patch Tuesday fixes many vulnerabilities that would impact workstations. The Office, Outlook, Remote Desktop Client, DirectWrite, Address Book, LNK, GDI+, Font Library, and VBScript vulnerabilities should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
Windows DNS Server RCE
An extremely critical Remote Code Execution vulnerability (CVE-2020-1350) is fixed today in all versions of Windows DNS Server. Microsoft ranks this vulnerability as “Exploitation More Likely,” and according to Microsoft and the researchers at Check Point, the vulnerability is wormable. It is highly recommended to prioritize these patches on all Microsoft DNS servers, including Active Directory servers.
In a guidance document, Microsoft provides a workaround that involves setting the maximum TcpReceivePacketSize to prevent exploitation. If patches cannot be deployed immediately, this workaround should be considered.
Hyper-V RemoteFX vGPU RCE
Microsoft patched six similar RCE vulnerabilities (CVE-2020-1032, CVE-2020-1036, CVE-2020-1040, CVE-2020-1041, CVE-2020-1042, CVE-2020-1043) related to the way graphics drivers are handled in Hyper-V. Since the vulnerabilities involve directly attacking the host’s graphics drivers, this patch simply disables RemoteFX functionality. According to Microsoft: “RemoteFX vGPU has been deprecated in Windows Server 2019 and customers are advised to use Discrete Device Assignment (DDA) instead of RemoteFX vGPU. DDA was introduced in Windows Server 2016.”
Deserialization RCEs in PerformancePoint Services, SharePoint, .NET, and Visual Studio
Microsoft also patched two RCEs in PerformancePoint Services for SharePoint Server (CVE-2020-1439) along with .NET Framework, SharePoint Server, and Visual Studio (CVE-2020-1147). These vulnerabilities both involve the deserialization of XML content and could lead to Remote Code Execution if exploited.
Adobe issued patches today covering multiple vulnerabilities in Download Manager, Media Encoder, Genuine Service, ColdFusion, and Creative Cloud. The patches for Creative Cloud and ColdFusion are labeled as Priority 2, while the remaining patches are set to Priority 3.
While none of the vulnerabilities disclosed in Adobe’s release are known to be Actively Attacked today, all patches should be prioritized on systems with these products installed.