Skip to content ↓ | Skip to navigation ↓

Today’s VERT Alert addresses Microsoft’s July 2020 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-895 on Wednesday, July 15th.

In-The-Wild & Disclosed CVEs 

CVE-2020-1463

A vulnerability in the SharedStream Library could allow a locally authenticated attacker to run a malicious application in order to elevate their privileges.

Microsoft has rated this as a 2 (Exploitation Less Likely) on the latest software release on the Exploitability Index.

CVE Breakdown by Tag

While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis.

Tag
CVE Count
CVEs
Windows Update Stack
3
CVE-2020-1424, CVE-2020-1346, CVE-2020-1392
Windows Hyper-V
6
CVE-2020-1032, CVE-2020-1036, CVE-2020-1040, CVE-2020-1041, CVE-2020-1043, CVE-2020-1042
Skype for Business
1
CVE-2020-1025
Windows Subsystem for Linux
1
CVE-2020-1423
Microsoft JET Database Engine
3
CVE-2020-1400, CVE-2020-1401, CVE-2020-1407
Microsoft Windows
51
CVE-2020-1350, CVE-2020-1418, CVE-2020-1420, CVE-2020-1421, CVE-2020-1422, CVE-2020-1347, CVE-2020-1352, CVE-2020-1353, CVE-2020-1354, CVE-2020-1356, CVE-2020-1359, CVE-2020-1363, CVE-2020-1365, CVE-2020-1366, CVE-2020-1370, CVE-2020-1371, CVE-2020-1372, CVE-2020-1373, CVE-2020-1374, CVE-2020-1375, CVE-2020-1384, CVE-2020-1385, CVE-2020-1386, CVE-2020-1387, CVE-2020-1390, CVE-2020-1391, CVE-2020-1393, CVE-2020-1394, CVE-2020-1395, CVE-2020-1398, CVE-2020-1399, CVE-2020-1402, CVE-2020-1404, CVE-2020-1405, CVE-2020-1406, CVE-2020-1410, CVE-2020-1413, CVE-2020-1427, CVE-2020-1428, CVE-2020-1429, CVE-2020-1430, CVE-2020-1431, CVE-2020-1434, CVE-2020-1437, CVE-2020-1438, CVE-2020-1463, CVE-2020-1249, CVE-2020-1267, CVE-2020-1333, CVE-2020-1085, CVE-2020-1330
Microsoft Malware Protection Engine
1
CVE-2020-1461
Microsoft Edge
2
CVE-2020-1433, CVE-2020-1462
Windows WalletService
5
CVE-2020-1344, CVE-2020-1361, CVE-2020-1362, CVE-2020-1364, CVE-2020-1369
.NET Framework
1
CVE-2020-1147
Microsoft OneDrive
1
CVE-2020-1465
Visual Studio
2
CVE-2020-1416, CVE-2020-1481
Windows Kernel
10
CVE-2020-1336, CVE-2020-1419, CVE-2020-1357, CVE-2020-1358, CVE-2020-1367, CVE-2020-1388, CVE-2020-1389, CVE-2020-1396, CVE-2020-1411, CVE-2020-1426
Microsoft Graphics Component
11
CVE-2020-1351, CVE-2020-1355, CVE-2020-1381, CVE-2020-1382, CVE-2020-1397, CVE-2020-1408, CVE-2020-1409, CVE-2020-1412, CVE-2020-1435, CVE-2020-1436, CVE-2020-1468
Internet Explorer
1
CVE-2020-1432
Windows Shell
4
CVE-2020-1360, CVE-2020-1368, CVE-2020-1414, CVE-2020-1415
Open Source Software
1
CVE-2020-1469
Microsoft Office
10
CVE-2020-1349, CVE-2020-1439, CVE-2020-1442, CVE-2020-1445, CVE-2020-1446, CVE-2020-1447, CVE-2020-1448, CVE-2020-1449, CVE-2020-1458, CVE-2020-1240
Microsoft Scripting Engine
1
CVE-2020-1403
Microsoft Office SharePoint
7
CVE-2020-1342, CVE-2020-1456, CVE-2020-1443, CVE-2020-1444, CVE-2020-1450, CVE-2020-1451, CVE-2020-1454
Azure DevOps
1
CVE-2020-1326

Other Information

In addition to the Microsoft vulnerabilities included in the July Security Guidance, an advisory was also released today.

Microsoft Guidance for Enabling Request Smuggling Filter on IIS Servers [ADV200008]

Microsoft has announced a tampering vulnerability that exists between HTTP Proxies and web-servers that do not follow the RFCs completely. An attacker that exploited this vulnerability could modify HTTP responses or access data from HTTP sessions other than their own. Microsoft has released guidance around changing a registry value to Disable Request Filtering and recommends testing specific environments to ensure that no interactions occur.

The Executive's Guide to the Top 20 Critical Security Controls