Microsoft resolves ‘wormable’ DNS security vulnerability

‘SIGRed’ flaw among 18 critical bugs addressed in bumper Patch Tuesday

Microsoft has fixed a critical security vulnerability in its DNS Server software that might be exploited by a worm.

The vulnerability (CVE-2020-1350), which dates back to coding mistakes introduced in 2003, affects all current versions of Microsoft Server (2008, 2012, 2016, and 2019).

The flaw, discovered by security researchers at Check Point, earned a maximum CVSS score of 10 and, worse yet, could be harnessed by an exploit without user interaction, making it potentially wormable.

“This means an attacker could exploit this vulnerability remotely without authentication and it can spread very quickly to all DNS Servers in your environment,” Todd Schell, senior product manager at security vendor Ivanti explained.

Code red

The flaw – dubbed ‘SIGRed’ – involves problems in handling an oversized DNS response containing an ‘SIG’ record.

Microsoft strongly advises enterprises running the DNS Server networking component to apply the security update it released on Tuesday, or take remedial action to guard against the possibility of attack.

July’s bumper edition of Patch Tuesday brought relied for 123 unique vulnerabilities, 18 of which are rated as critical.

READ MORE WordPress security: RCE flaw in Adning Advertising plugin exploited in the wild

The advisories involve flaws of varying seriousness in Microsoft Windows, Internet Explorer (IE), Edge in IE Mode, Microsoft Office, Windows Defender, Skype for Business, Visual Studio, .NET Framework, OneDrive, Azure DevOps Server, and other software.

The 18 critical CVEs variously affect the Windows operating system, IE, Office, SharePoint, .Net Framework, and Visual Studio.

A full rundown can be found in a dashboard put together by the SANS Institute’s Internet Storm Center.

In a first, Microsoft has also included Servicing Stack Updates (SSUs) for all Windows versions affected by a critical vulnerability.

Support act

Not to be completely outdone, Adobe released five patches covering 13 vulnerabilities that variously affect Adobe Cold Fusion, Download Manager, Genuine Service, Media Encoder, and the Creative Cloud desktop application.

An Adobe Creative Cloud Desktop Application update resolved four vulnerabilities including CVE-2020-9682 – the only flaw in the patch batch rated as critical.

Rounding off a particular busy day on the security patching front, Oracle released the summer edition of its quarterly patch batch.

Oracle Java SE and MySQL are among the software packages that need updating.

RECOMMENDED Open source community toasts efforts of EU-FOSSA 2 bug bounty program