We are at another patch Tuesday! It seems like the digital world is intent on proving that 2020 is just as horrifying in the digital space as it is in the real world. While we did not get a record-breaking number of CVE’s like last month, we still got 123, and they tossed on one that ranks as a 10 on the CVSS vulnerability scale, and one exploit that is already publicly known (luckily not the same one).
This usually is where I go into the more positive side of things. I find a promising trend or something that shows this month is not as bad as last month. Instead, let me tell you that July 27th is National Scotch Day, so once we are done with this, you can claim to be celebrating a holiday early instead of drinking away your worries! Anyway, 18 closed issues overall are severe, a more than 50% increase from last month.
CVE-2020-1350 - This is the exploit that is rated a 10 on the CVSS scale. It seems that it has been named SigRed. This bug impacts DNS, and it allows an unauthenticated code to run as a local system account. This means that this bug is worm-able. It is hardly comforting when you realize that most DNS server roles are handled on Domain Controllers.
CVE-2020-1463 - This is the bug that is publicly known. Luckily this one is not considered severe. Hurray for small victories! This one impacts Windows SharedStream. It allows for elevation of privilege. While that is not great, it does require you to be already authenticated to be able to elevate.
CVE-2020-1025 - This vulnerability impacts SharePoint or Skype. Those services do not handle OAuth token validation. Some unsavory types might use this to bypass authentication and get improper access to your systems.
This month is a doozy, luckily we are all professionals here, and we have already patched our labs so we can test them thoroughly before we get this into production as soon as possible! It is never a good idea to miss a patch Tuesday, but maybe this week, you might want to dive in a little bit early.
If you think that it would be crazy useful to have this automated for you? You have come to the right place. PDQ Deploy and PDQ Inventory can help you out! If you are wondering how, click here to have Lex break down how quickly we can’t get you up and running to read these for fun, not in a panic.