Microsoft Patch Tuesday, July 2020

Microsoft today released updates to plug a whopping 123 security holes in Windows and related software, including fixes for a critical, “wormable” flaw in Windows Server versions that Microsoft says is likely to be exploited soon.

Top of the heap this month in terms of outright scariness is CVE-2020-1350 (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350), which concerns a remotely exploitable bug in more or less all versions of Windows Server that attackers could use to install malicious software simply by sending a specially crafted DNS request.

Microsoft said it is not aware of reports that anyone is exploiting the weakness (yet), but the flaw has been assigned a CVSS score of 10, which translates to “easy to attack” and “likely to be exploited.”

“We consider this to be a wormable vulnerability, meaning that it has the potential to spread via malware between vulnerable computers without user interaction,” Microsoft wrote in its documentation of CVE-2020-1350. “DNS is a foundational networking component and commonly installed on Domain Controllers, so a compromise could lead to significant service interruptions and the compromise of high level domain accounts.”

CVE-2020-1350 is just the latest worry for enterprise system administrators in charge of patching dangerous bugs in widely-used software. Over the past couple of weeks, fixes for flaws with high severity ratings have been released for a broad array of software products typically used by businesses, including Citrix, F5, Juniper, Oracle and SAP. This at a time when many organizations are already short-staffed and dealing with employees working remotely thanks to the COVID-19 pandemic.

The Windows Server isn’t the only nasty one addressed this month that malware or malcontents can use to break into systems without any help from users. A full 17 other critical flaws fixed in this release tackle security weaknesses that Microsoft assigned its most dire “critical” rating, such as in Office, Internet Explorer, SharePoint, Visual Studio, and Microsoft’s .NET Framework.

Some of the more eyebrow-raising critical bugs addressed this month include CVE-2020-1410 (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1410), which according to Recorded Future concerns the Windows Address Book and could be exploited via a malicious vcard file. Then there’s CVE-2020-1421 (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1421), which protects against potentially malicious .LNK files (think Stuxnet) that could be exploited via an infected removable drive or remote share. And we have the dynamic duo of CVE-2020-1435 (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1435) and CVE-2020-1436 (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1436), which involve problems with the way Windows handles images and fonts that could both be exploited to install malware just by getting a user to click a booby-trapped link or document.

Not to say flaws rated “important” as opposed to critical aren’t also a concern. Chief among those is CVE-2020-1463, a problem within Windows 10 and Server 2016 or later that was detailed publicly prior to this month’s Patch Tuesday.

How to manually check for Updates in Windows 10

Open Start Menu and click on SettingsUpdate & Security settings

Here, press on the Check for updates button.

Microsoft Patch Tuesday, July 2020

If any updates are available, they will be offered to you.

If Windows Update says that your PC is up to date, it means that you have all the updates that are currently available for your system.

If you are looking for details on the latest updates, click on the Details link. More details about the updates will then be shown to you.

Microsoft Patch Tuesday, July 2020

If you need more information about the updates, click on the Learn more link. Every update comes with a KB number. Here for example you can see update KB3103688 being offered. You could search on your favorite search engine using this KB number. Relevant results about the update are sure to be offered.

You can make your Windows 10 receive updates for other Microsoft products and software, like Office, when you update Windows.