Microsoft’s July 2020 Patch Tuesday Addresses 123 CVEs Including Wormable Windows DNS Server RCE (CVE-2020-1350) (SIGRed)

For the fifth month in a row, Microsoft has patched over 100 CVEs, addressing 123 CVEs in the July 2020 Patch Tuesday release. Included in this months updates are patches for Microsoft Windows, Microsoft Edge, Microsoft ChakraCore, Internet Explorer, Microsoft Office and Microsoft Office Services and Web Apps, Windows Defender, Skype for Business, Visual Studio, Microsoft OneDrive, Open Source Software, .NET Framework and Azure DevOps.

Additionally, a highly critical remote code execution (RCE) vulnerability in Windows DNS Server (CVE-2020-1350) dubbed as “SIGRed” by researchers at Check Point Research was patched by Microsoft. This vulnerability received a 10.0 CVSSv3 score, the highest possible rating and Microsoft recommends patching as soon as possible. Microsoft also opted to release a patch for Windows Server 2008, which went end of life in January, underscoring the severity of this vulnerability. For those that are not able to patch immediately,  a mitigation option has been provided by Microsoft which can be applied quickly, requiring only a restart of the DNS Service and not the host system. Microsoft acknowledges that this vulnerability is considered to be “wormable,” or potentially spreadable via malware between affected hosts in a network without any user interaction. 

You can read more about this CVE and our analysis of other important vulnerabilities patched this month in our blog here.