14
Jul 20

‘Wormable’ Flaw Leads July Microsoft Patches

Microsoft today released updates to plug a whopping 123 security holes in Windows and related software, including fixes for a critical, “wormable” flaw in Windows Server versions that Microsoft says is likely to be exploited soon. While this particular weakness mainly affects enterprises, July’s care package from Redmond has a little something for everyone. So if you’re a Windows (ab)user, it’s time once again to back up and patch up (preferably in that order).

Top of the heap this month in terms of outright scariness is CVE-2020-1350, which concerns a remotely exploitable bug in more or less all versions of Windows Server that attackers could use to install malicious software simply by sending a specially crafted DNS request.

Microsoft said it is not aware of reports that anyone is exploiting the weakness (yet), but the flaw has been assigned a CVSS score of 10, which translates to “easy to attack” and “likely to be exploited.”

“We consider this to be a wormable vulnerability, meaning that it has the potential to spread via malware between vulnerable computers without user interaction,” Microsoft wrote in its documentation of CVE-2020-1350. “DNS is a foundational networking component and commonly installed on Domain Controllers, so a compromise could lead to significant service interruptions and the compromise of high level domain accounts.”

CVE-2020-1350 is just the latest worry for enterprise system administrators in charge of patching dangerous bugs in widely-used software. Over the past couple of weeks, fixes for flaws with high severity ratings have been released for a broad array of software products typically used by businesses, including Citrix, F5, Juniper, Oracle and SAP. This at a time when many organizations are already short-staffed and dealing with employees working remotely thanks to the COVID-19 pandemic.

The Windows Server vulnerability isn’t the only nasty one addressed this month that malware or malcontents can use to break into systems without any help from users. A full 17 other critical flaws fixed in this release tackle security weaknesses that Microsoft assigned its most dire “critical” rating, such as in Office, Internet Exploder, SharePoint, Visual Studio, and Microsoft’s .NET Framework.

Some of the more eyebrow-raising critical bugs addressed this month include CVE-2020-1410, which according to Recorded Future concerns the Windows Address Book and could be exploited via a malicious vcard file. Then there’s CVE-2020-1421, which protects against potentially malicious .LNK files (think Stuxnet) that could be exploited via an infected removable drive or remote share. And we have the dynamic duo of CVE-2020-1435 and CVE-2020-1436, which involve problems with the way Windows handles images and fonts that could both be exploited to install malware just by getting a user to click a booby-trapped link or document.

Not to say flaws rated “important” as opposed to critical aren’t also a concern. Chief among those is CVE-2020-1463, a problem within Windows 10 and Server 2016 or later that was detailed publicly prior to this month’s Patch Tuesday.

Before you update with this month’s patch batch, please make sure you have backed up your system and/or important files. It’s not uncommon for a particular Windows update to hose one’s system or prevent it from booting properly, and some updates even have been known to erase or corrupt files. Last month’s bundle of joy from Microsoft sent my Windows 10 system into a perpetual crash state. Thankfully, I was able to restore from a recent backup.

So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

Also, keep in mind that Windows 10 is set to apply patches on its own schedule, which means if you delay backing up you could be in for a wild ride. If you wish to ensure the operating system has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches whenever it sees fit, see this guide.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. Also, keep an eye on the AskWoody blog from Woody Leonhard, who keeps a reliable lookout for buggy Microsoft updates each month.

Tags: , , , , , , , , , , , ,

43 comments

  1. Brian,

    As much as I respect your opinion, you writing “if you’re a Windows (ab)user” smacks of hypocrisy. Your blog is always silent on Google and its related products security flaws which too are a dime a dozen. At least Microsoft does a monthly update on its products. How may updates does Google do for the millions of Android users who are using compromised mobile OS? I know Google came to your rescue in the past but as a security researcher please treat all vendors the same.

    • Lyle, can you write better articles than Brian?

    • Lyle, it’s meant to add levity to a fairly dry but important topic, and it’s certainly not my intention to bash Microsoft. Since you mentioned it, Google updated Chrome today with some pretty serious fixes as well.

      • Brian,

        You’re spot on. As a long time Systems and Security shepherd, I’ve looked at more than my fair share of Patch Tuesday announcements and QA testing. When you choose to write about such mundane things, you have to make me want to engage as a reader. Thanks for spicing up an otherwise boring, soul draining topic that we all look forward to each month.

    • Google’s OS isn’t widely used.

      Windows OS is.

      Mac OS (UNIX), Linux, FreeBSD UNIX et al are widely used by the wise and secure.

      Oh, and Microsoft uses Chromium now for its own Edge browser.

      • The Linux Kernel has its issues as well:

        https://en.wikipedia.org/wiki/Dirty_COW

        Patching is good, if the engineers are not in charge of it!

        9 year old flaw:

        https://betanews.com/2020/02/06/sudo-pwfeedback-root-access-flaw/

      • Android is widely used

      • “Google’s OS isn’t widely used”

        Not sure where you got that idea from? As of May 2019 there were 2.5 Billion Android devices in the wild.

        • Number of users does NOT equate to importance. It is one of many factors one must consider.

          I’d take the security of critical infrastructure like DNS…. over a million endpoint users any day. Why? Because a flaw in infrastructure, also affects the endpoint users.

        • The OS for Android is called Linux. All Android devices use a Linux kernel.
          Android is built on top of Linux.

      • Is it really necessary to get elitist about using Linux? Most home users who are normal computer users and not tech nerds use Windows, and most office environments even at top tech companies run Windows for their user desktops. And Linux has it’s share of vulnerabilities all the time, but because updates are usually done behind the scenes and not by one of the largest companies in the world they fly under the radar.

    • Google updates their two OS’s (chrome OS and Android) quite often. I had a google pixel android phone and received updates every month. Most of the other Android phone manufacturers (Samsung, Motorola, etc.) are the ones at fault. They don’t update the Android OS on their phones hardly, if ever.

    • Lyle,
      Your comment smacks of “whataboutism”.

      There is no equivalency between Google and Microsoft that you can state that would suggest Krebsonsecurity should give equal time writing about Google.

    • 123 security holes patched in 1 month for an OS that runs on 95% of all computers. Call me a hypocrite (Mac user) but Microsoft has been building security holes far too long.

  2. The Sunshine State

    Chrome 64 released a update according to Cert !

  3. Lyle all platforms have vulnerabilities including linux. This is a matter of knowledge sharing and not bashing. Let’s see you write articles.

    • The Sunshine State

      You can also say that all “browsers” have vulnerabilities to

      • …all h/w and s/w is designed, implemented, and tested by humans, so they all have bugs…

        …i can make nix or windows secure/unsecure…

        …the issue is humans, not technology…

  4. Can you add a Twitter button so I can Tweet your posts?

  5. Charlene Schaar

    Oooh a new Windows program? Internet ExploDer?

  6. So is your reference to “Internet Exploder” a typo or also “meant to add levity” (while of course being accurately descriptive)?

  7. I’m starting to wonder if it’s not so much that their software has been getting worse, but that they’re getting better at finding bugs?

    • In accordance with a pretty low standard going around these pandemic days: if we did less looking for bugs , there would be fewer bugs, wouldn’t there?

  8. I don’t understand why this triggers some people. Aren’t *all* products subject to fixes, recalls, enhancements and/or improvements?

    What am I missing here?

    • Alan Kaminsky

      Yes, other products have flaws. For example, my car’s manufacturer has issued exactly two recalls in the ten years I’ve owned the car — and keep in mind that cars nowadays are run largely by software. Microsoft issues dozens or hundreds of patches EVERY MONTH. Many companies are capable of putting out products that work without flaws — but not Microsoft.

      • …your car has what, maybe 30 things it has to do…

        …a modern OS has thousands…

      • Also your cars software runs on exactly One hardware platform (even if they reuse the base build for others, the firmware/software on the vehicle is hashed for that specific board).
        A better comparison to your car would be an Console (Like and XBOX) which have issues, and patches, but significantly less problems.
        The problem is that Windows had to run on just about everything. So they have a ton of holes to patch.

        But NONE of that is germane to this article which is about a vulnerability in a SERVER component of windows. IIRC we havent had very many DNS, DHCP, AD Patches. While Microsoft has had several SMB patches that were critical, nearly all of them have been edge case issues that were quickly mitigated.

      • One word, “interoperability”.

        Windows has to inter-operate with all kinds of hardware, and other software.

        Operating systems vary widely in code base and function.
        An old school casio digital watch is considered a “computer”. And modern wearables have more computing power than the system in the Apollo capsule.

        The things that can go wrong with the 60 million of lines of code in a base OS, are exponentially larger than some single function module in a car.

        There are also computers used for defense, that have to meet much higher standards of reliability.
        A consumer grade operating system for a home computer doesn’t really have a need to run continuously without rebooting or patching, like a missile detection system might.

        • …actually a bit of since you mentioned reliability…

          …when the DoD was developing the early cruise missile (~1980ish) they needed reliable software, so the whole cmmi and the software engineering institute at CMU was built just to solve that problem…

  9. Has anyone else noticed 2FA no longer functioning on some major corporate sites?

  10. Good writeup, somebody forgot their Snicker’s bar. I don’t remember which update, to explorer, Firefox, email, etc, but security certificates to many sites were invalidated. Browsers had been updated, but the sites were taken by surprise. Stuff just didn’t work right and certificates were rejected. And the demic meant fewer then normal people to take care of business. Give them time to catch up. After all, the sales staff aren’t programmers. And yes, that work is almost old enough to vote.

  11. Michael H Sawyer

    Excellent summary I find this very useful. Keep up the top notch work (complete with humor).

  12. Excellent advice on Woody Leonhard’s site; I’ve been a member of ‘Windows Secrets’ for a decade and now it has been merged into Woody’s site, so now it is even better and has the same great staff members.

  13. Looks like something broke outlook. I know 2 people experiencing this issue

    This issue was posted to the Service Health Dashboard (SHD) as incident EX218604 Start time: July 16, 2020 12:18 AM. User Impact: Users may experience crashes or may be unable to access Exchange Online via Outlook.

    More info: Our analysis indicates that Outlook on the web and mobile clients are unaffected. Users may be able to leverage those protocols as an alternative means to access email and service features while we remediate this problem.

    Current status: Our initial review of the available data indicates that recently deployed updates are the likely source of the problem. We’re performing an analysis of all recent service updates to isolate the underlying cause of the problem and to determine the most expedient means to restore service.

    • Arthur Penman

      Justy for those interested:
      I have found a workaround. You can roll back office with the below commands it is unneffected by whatever has just been pushed to our clients.
      Office 16.x at least unsure of “updatetoversion” if other versions are effected

      Open command prompt
      1. cd %programfiles%\Common Files\Microsoft Shared\ClickToRun
      officec2rclient.exe /update user updatetoversion=16.0.12827.20470

  14. Personally, with a CVW of 10.0, I immediately applied the registry workaround. Even behind a Fortigate firewall, a CVE with that score is no joke.

  15. Robert Scroggins

    Keep up the good work, Brian! I like a bit of levity while trying to fix my system after the Windows updates.

    Regards,

  16. Nice Blog Thanks For Sharing

  17. That’s funny they said none has been affected since a week ago I contacted technicians from microsoft to report that my computer had been hijacked while in a support session. They WILL NOT do anything about it. What do I do now? My kids can go to school and I can’t afford to buy a new one. This is their fault they should be more apt to help me.