Patch Tuesday brought a fourth straight month of Microsoft fixing more than 100 security vulnerabilities (CVEs) in their July updates. Here’s our callout of updates and issues we think you’ll want to be aware of.

Interesting Fact

According to a report by Filip Truta at Security Boulevard, 60% of breaches that occurred in 2019 involved vulnerabilities for which patches were available but not applied. He asserts that while cyber risk has become a standard board room discussion “many hurdles associated with cybersecurity tools and processes have yet to be resolved. For example, unpatched software vulnerabilities–one of the most common attack vectors for cybercriminals—remains a huge problem for organizations everywhere.”

Microsoft’s July updates resolve approximately 120 vulnerabilities in their products. By using patch policies in ZENworks Patch Management, you can automate the entire process of maintenance patching and reduce your exposure to attack vectors left open by unpatched software.  Patch policies let you set the criteria for including a patch in the policy, automatically download the patch content and apply it to test devices, and after successful installation on the test devices roll out the patches to your production devices on the schedule you determine. Trusted automation resulting in greater patch currency across your devices.

Newsworthy Events

• Microsoft released an update for CVE-2020-1350 Vulnerability in Windows Domain Name System (DNS) Server. This is classified as a “wormable” vulnerability that can be exploited remotely without authentication and has been given a CVSS base score of 10.0. It affects all Windows Server versions. Microsoft recommends updating as soon as possible but has identified a non-patching, non-restart workaround as an intermediate solution until you can update.
• There is one publicly disclosed vulnerability this month: CVE-2020-1463 Windows SharedStream Library Elevation of Privilege Vulnerability. It affects Windows 10, Windows Server 2016, Windows Server 2019, and Windows Server versions 1903 | 1909 | 2004. The updates this month fix the vulnerability, but the public disclosure classification means that prior to the update being available there was already enough public information to enable threat actors to begin working on a exploit. The recommendation is to apply the update as soon as possible.
• Microsoft identified six remote code execution vulnerabilities in Hyper-V RemoteFX vGPU that will not be fixed (CVE-2020-1032, CVE-2020-1036, CVE-2020-1040, CVE-2020-1041, CVE-2020-1042, CVE-2020-1043). This month’s updates disable and remove the RemoteFX vGPU components.
• All Windows operating systems have a July Servicing Stack Update (SSU). For the first time ever, the SSU fixes a security vulnerability (CVE-2020-1346). The July SSU is not required to install July updates.

Quick Take

• July Patch Tuesday resolves 123 Microsoft CVEs. This is the fourth month in a row with updates that fix at least 100 vulnerabilities.
• 18 of the 123 CVEs involve critical remote code-execution flaws that were patched in Windows, Internet Explorer, SharePoint server, .NET Framework, and Visual Studio.
• One of the 123 CVEs was publicly disclosed (CVE-2020-1463).
• Google released Chrome updates that resolve 38 vulnerabilities, including one Critical vulnerability.

Windows Server 2019 Updates

• There is a new Servicing Stack Update (KB4558997). It is not a prerequisite for July updates but does fix one security vulnerability (CVE-2020-1346).
• The cumulative update (KB4558998) resolves 84 new CVEs including 7 critical CVEs. None have public disclosures or known exploits.
• The Cumulative Update for .NET Framework 3.5, 4.7.2 and 4.8 for Windows Server 2019 for x64 (KB4566516) resolves a critical remote code execution vulnerability (CVE-2020-1147) and should be applied.

Windows Server 2016 Updates

• There is a new Servicing Stack Update (KB4565912). It is not a prerequisite for July updates but does fix one security vulnerability (CVE-2020-1346).
• The cumulative update (KB4565511) resolves 71 new CVEs, including 7 critical CVEs and disabling\removing of Hyper-V RemoteFX vGPU to resolve 6 additional CVEs. None have public disclosures or known exploits.
• The Cumulative Update for .NET Framework 4.8 for Windows Server 2016 for x64 (KB4565628 or KB4565631) resolves a critical remote code execution vulnerability (CVE-2020-1147) and should be applied.

Windows 10 Updates

• There is a new Servicing Stack Update (KB number varies by version) for versions 1507 through 2004. It is not a prerequisite for July updates but does fix one security vulnerability (CVE-2020-1346).
• The cumulative update (KB number varies by version) resolves up to 80 CVEs depending on the version. None have public disclosures or known exploits. Each update includes one or more critical CVEs.
• The Cumulative Update for .NET Framework for Windows 10 (KB number varies by version) resolves a critical remote code execution vulnerability (CVE-2020-1147) and should be applied.

Windows 8.1 / Windows Server 2012 R2 Updates

• There is a new Servicing Stack Update (KB4566425). It is not a prerequisite for July updates but does fix one security vulnerability (CVE-2020-1346).
• The Security Monthly Quality Rollup (KB4565541) resolves 40 new CVEs including 7 critical CVEs;  an additional 6 CVEs that are resolved by disabling\removing of Hyper-V RemoteFX vGPU; and 2 new Internet Explorer 11 CVEs. None have public disclosures or known exploits.
• The Security Only Quality Update (KB4565540) resolves 40 new CVEs including 7 critical CVEs; and an additional 6 CVEs that are resolved by disabling\removing of Hyper-V RemoteFX vGPU;
• The Security Update for Internet Explorer 11 (KB4565479) resolves 2 new CVEs including 1 critical CVE. None have public disclosures or known exploits. Apply it with the Security Only Quality Update (KB4565540). It is not needed with the Security Monthly Quality Rollup (KB4565541).
• The Security Only Update (or Security and Quality Rollup) for .NET Framework for Windows 8.1 and Server 2012 R2 (KB4566468 and KB4566519) resolves a critical remote code execution vulnerability (CVE-2020-1147) and should be applied.

Windows Server 2012 Updates

• There is a new Servicing Stack Update (KB4566426). It is not a prerequisite for July updates but does fix one security vulnerability (CVE-2020-1346).
• The Security Monthly Quality Rollup (KB4565537) resolves 40 new CVEs including 7 critical CVEs;  an additional 6 CVEs that are resolved by disabling\removing of Hyper-V RemoteFX vGPU; and 2 new Internet Explorer 11 CVEs. None have public disclosures or known exploits.
• The Security Only Quality Update (KB4565535) resolves 40 new CVEs including 7 critical CVEs; and an additional 6 CVEs that are resolved by disabling\removing of Hyper-V RemoteFX vGPU;
• The Security Update for Internet Explorer 11 (KB4565479) resolves 2 new CVEs including 1 critical CVE. None have public disclosures or known exploits. Apply it with the Security Only Quality Update (KB4565535). It is not needed with the Security Monthly Quality Rollup (KB4565537).
• The Security Only Update for .NET for Windows Server 2012 (KB4566467) resolves a critical remote code execution vulnerability (CVE-2020-1147) and should be applied.

Windows 7 / Windows Server 2008 R2 Extended Security Updates

• With the exception of the July Servicing Stack Update, these can only be installed on devices that have an active ESU MAK license.
• In ZENworks Patch Management, these updates only show up in the feed if you have purchased the ZENworks Patch Management Add-On Subscription for Windows 7 / Windows Server 2008 Extended Security Updates. Otherwise, you must download them from the Microsoft Update Catalog and use the Custom Patch feature to create the patch. For more details, see Installing Windows 7 / Windows Server 2008 Extended Security Updates with ZENworks Patch Management.
• There is a new Servicing Stack Update (KB4565354). It is not a prerequisite for July updates but does fix one security vulnerability (CVE-2020-1346).
• The Security Monthly Quality Rollup (KB4565524) resolves 35 new CVEs including 6 critical CVEs; and 2 new Internet Explorer 11 CVEs. None have public disclosures or known exploits.
• The Security Only Quality Update (KB4565539) resolves 35 new CVEs including 6 critical CVEs
• The Security Update for Internet Explorer 11 (KB4565479) resolves 2 new CVEs including 1 critical CVE. None have public disclosures or known exploits. Apply it with the Security Only Quality Update (KB4565539). It is not needed with the Security Monthly Quality Rollup (KB4565524).
• The Security Only Update for .NET for Windows Server 2008 R2 (KB4566466) resolves a critical remote code execution vulnerability (CVE-2020-1147) and should be applied.

Windows Server 2008 Extended Security Updates

• With the exception of the July Servicing Stack Update, these can only be installed on devices that have an active ESU MAK license.
• In ZENworks Patch Management, these updates only show up in the feed if you have purchased the ZENworks Patch Management Add-On Subscription for Windows 7 / Windows Server 2008 Extended Security Updates. Otherwise, you must download them from the Microsoft Update Catalog and use the Custom Patch feature to create the patch. For more details, see Installing Windows 7 / Windows Server 2008 Extended Security Updates with ZENworks Patch Management.
• There is a new Servicing Stack Update (KB4565353). It is not a prerequisite for July updates but does fix one security vulnerability (CVE-2020-1346).
• The Security Monthly Quality Rollup (KB4565536) resolves 32 new CVEs including 6 critical CVEs; and 2 new Internet Explorer 11 CVEs. None have public disclosures or known exploits.
• The Security Only Quality Update (KB4565529) resolves 32 new CVEs including 6 critical CVEs
• The Security Update for Internet Explorer 9 (KB4565479) resolves 2 new CVEs including 1 critical CVE. None have public disclosures or known exploits. Apply it with the Security Only Quality Update (KB4565529). It is not needed with the Security Monthly Quality Rollup (KB4565536).
• The Security Only Update (or Security and Quality Rollup) for .NET Framework for Windows Server 2008 (KB4566469 and KB4566520) resolves a critical remote code execution vulnerability (CVE-2020-1147) and should be applied.

Microsoft SharePoint Server

• The monthly Security Updates resolve 14 CVEs across Enterprise Server 2013 & 2016, Foundation Server 2013, and SharePoint Server 2010. None have public disclosures or known exploits. None are Critical severity.

Microsoft Office 2010–2016 (Windows) and 2016-2019 (Mac)

• The Security Update resolves up to 11 new CVEs depending on the version. None have public disclosures or known exploits. The maximum severity is Critical.

Microsoft 365 Apps (formerly Office 365 ProPlus) and Office 2019

• Each channel update resolves 9 new CVEs depending on the version. None have public disclosures or known exploits. The maximum severity is Critical.

Google Chrome

• 84.0.4147.89 update resolves 38 new CVEs. None have public disclosures or known exploits. One is Critical severity.

Mozilla Firefox

• Firefox 68.10.0 ESR resolves 5 new CVEs. None have public disclosures or known exploits. None are Critical severity.
• Firefox 78.0.2 resolves 1 new CVE. None have public disclosures or known exploits. None are Critical severity.

Darrin VandenBos (@DarrinVandenBos)
Product Manager, Endpoint Management