100+ vulnerabilities patched during Patch Tuesdays the new norm
Another 123 CVEs are covered this month from Microsoft for the 2020-Jul Patch Tuesday. In addition to our usual suspects like Windows, Internet Explorer/Microsoft Edge, and Microsoft Office this Patch Tuesday addresses several developer-type tools such as .NET Framework, Visual Studio Code ESLint extension along with various Open Source Software like TypeScript, Bond 9.0.1, and Azure Storage Explorer. The latter bunch don't go through typical patching patterns but at the same time, likely have a smaller footprint than the typical Windows OS vulnerabilities.
Microsoft CVE-2020-1350: Windows DNS Server Remote Code Execution (AttackerKB Analysis)
The star of this Patch Tuesday is CVE-2020-1350, a wormable vulnerability on Windows Servers running the Windows DNS Server service. This vulnerability includes ESU servers like Windows Server 2008 and Windows Server 2008 R2, but extends throughout all supported versions of Windows Server that can run the Windows DNS Server service.
With caveats, Microsoft provided a Windows Registry setting workaround that effectively drops TCP-based DNS response packets exceeding 65280 bytes without reporting an error. It's recommended that if patching cycles are slow, that the workaround be applied ahead of the cycle. The workaround does not need to be removed prior to patching, although it would be worthwhile to undo the workaround after patching.
For a deeper dive on this vulnerability, head on over to our blog post: Windo ..
Support the originator by clicking the read the rest link below.
