Microsoft has released yet another gargantuan security update this month, fixing 123 vulnerabilities including 18 marked critical.
The July Patch Tuesday is close to the largest ever update, which came last month, fixing 129 bugs, and is the fifth month in a row that the Redmond giant has issued patches for over 100 software flaws.
Although none of the bugs listed are known to be actively exploited in the wild, four of the critical vulnerabilities are market as “exploitation more likely.”
Gill Langston, head security nerd at SolarWinds MSP, urged administrators to tackle one of these, CVE-2020-1350, first.
“While there are vulnerabilities listed in many areas this month, I cannot stress enough how important the patch for Microsoft DNS server is for this month. While restarting your DNS server or the Active Directory server it is a part of was likely not in this week’s plans, you should really consider making this patch your number one priority,” he argued.
“Since nearly everyone is running DNS with Active Directory, bad actors are likely to see the high target count this offers and develop exploits rather quickly. If you cannot patch it, at least set aside some time to deploy the workaround to protect this important part of your infrastructure until you can deploy the patch.”
The 18 critical CVEs affect Windows, IE, Office, SharePoint, .Net Framework and Visual Studio. Ivanti senior product manager, Todd Schell, said the OS, browser and Office should be prioritized, but that SharePoint, .Net and Visual Studio should not be neglected.
“Microsoft has also included Servicing Stack Updates (SSUs) for all Windows versions in this month’s updates that resolves a critical vulnerability, which is a first,” he added.
“CVE-2020-1346 is an elevation of privilege vulnerability in Windows Modules Installer that could allow an attacker to gain elevated privileges on the affected system. In this case the attacker would need to execute code on the target system. This vulnerability affects all Windows OSs including Windows 7, Server 2008 and 2008 R2.”