As part of the July update Tuesday, Microsoft engineers fixed 123 vulnerabilities in 13 different products. Any of them was under attack.In July did not reach the record of June Tuesday only a little, when were fixed129 vulnerabilities.
The most serious vulnerability fixed this time is the CVE-2020-1350 problem, also known as SigRed, found as part of the Windows DNS Server. The vulnerability was discovered by Check Point specialists and scored 10 points out of 10 on the CVSSv3 vulnerability rating scale.
Other major issues this month included vulnerabilities that could allow remote code execution that were discovered as part of:
- RemoteFX vGPU component in the Microsoft Hyper-V hypervisor (CVE-2020-1041, CVE-2020-1040, CVE-2020-1032, CVE-2020-1036, CVE-2020-1042, CVE-2020-1043);
- Jet Database Engine, included in some Office applications (CVE-2020-1400, CVE-2020-1401, CVE-2020-1407);
- Microsoft Word (CVE-2020-1446, CVE-2020-1447, CVE-2020-1448);
- Microsoft Excel (CVE-2020-1240);
- Microsoft Outlook (CVE-2020-1349);
- Microsoft Sharepoint (CVE-2020-1444);
- Windows LNK shortcut files (CVE-2020-1421);
- various Windows graphics components (CVE-2020-1435, CVE-2020-1408, CVE-2020-1412, CVE-2020-1409, CVE-2020-1436, CVE-2020-1355).
Adobe, in turn, has fixed more than a dozen vulnerabilities in products such as Creative Cloud, Media Encoder, Genuine Service, ColdFusion, and Download Manager.
So, in the Windows version of Download Manager, Adobe fixed a critical error that allowed the introduction of commands, which could lead to the execution of arbitrary code.
“In Media Encoder for Windows and macOS, were resolved two critical out-of-bounds writing issues that could also lead to arbitrary code execution, as well as an out-of-bounds reading error that entailed information disclosure”, – report Adobe experts.
A critical vulnerability has also been fixed in the desktop version of Creative Cloud. The problem is with symbolic links, which can allow an attacker to write arbitrary files to the target system. Three other vulnerabilities detected in the application are marked as important and allow increasing privileges in the system.
As part of the Genuine Service, have been fixed two bugs that allow privilege escalation, as well as in ColdFusion.
Recent patches include disclosure in NetWeaver (CVE-2020-6285) and several not-so-dangerous errors in Disclosure Management (CVE-2020-6267), Business Objects (CVE-2020-6281, CVE-2020-6276), NetWeaver AS JAVA (CVE-2020-6282) and Business Objects BI (CVE-2020-6278, CVE-2020-6222).
Also this month were released patches for the products of other vendors, including several updates from VMware, fixing about a hundred errors from Oracle (the highest CVSS score is 8.8 points for CVE-2016-1000031 vulnerability), and also updated Chrome, where One critical error and seven high-severity flaws were corrected.