[German]Microsoft has published some security advisories about vulnerabilities and released further updates around 14 July 2020. I would like to add this information to the blog post.
Advertising
IIS-Server Request Smuggling Filter
Microsoft is aware of a manipulation capability in the IIS server that can be used to modify sequences of HTTP requests (such as HTTP proxies (front-end) and web servers (back-end)) that come from multiple sources. An attacker who successfully exploited the vulnerability could merge multiple requests into the body of a single request to a Web server, which could allow him to modify responses or retrieve information from another user's HTTP session.
Microsoft recommends that administrators check the front-end environment configurations and, if necessary, enable the Request Smuggling Filter of requests. Testing is required to determine that front-end load balancers and proxies do not forward faulty requests; these requests are rejected when the filter is enabled and may interfere with communication. Details can be found in ADV200008.
Servicing Stack Update mitigates vulnerability
Microsoft has released a Servicing Stack Update (SSU) for various versions of Windows. This update introduces quality improvements to the service stack, but also fixes a more critical vulnerability in the module installer. The update ensures that the Windows Modules Installer handles file operations correctly. For more information, see CVE-2020-1346 | Windows Modules Installer Elevation of Privilege Vulnerability. For a list of SSUs for various versions of Windows, see ADV990001.
Revisions to security advisories
Microsoft has also revised security advisories CVE-2020-0762, CVE-2020-0763 and CVE-2020-1469.
CVE-2020-0762 | Windows Defender Security Center Elevation of Privilege Vulnerability
– Version: 3.0
– Reason for Revision: In the Security Updates table the following revisions were
made: 1. Added Windows Server 2019 and Windows Server 2019 (Server Core
installation) because they are affected by this vulnerability. 2. Removed all
supported versions of Window 10 Version 1709 because they are not affected by
this vulnerability. 3. Corrected the Article and Download links.
– Originally posted: March 10, 2020
– Updated: July 14, 2020
– Aggregate CVE Severity Rating: Important
Advertising
CVE-2020-0763 | Windows Defender Security Center Elevation of Privilege Vulnerability
– Version: 3.0
– Reason for Revision: In the Security Updates table the following revisions were
made: 1. Added all supported versions of Window 10 Version 1709 because they are
affected by this vulnerability. 2. Corrected the Article and Download links.
– Originally posted: March 10, 2020
– Updated: July 14, 2020
– Aggregate CVE Severity Rating: Important
CVE-2019-1469 | Win32k Information Disclosure Vulnerability
– Version: 3.0
– Reason for Revision: Added all versions of Windows 10 Version 2004 to the Security
Updates table because it is affected by this vulnerability. Microsoft recommends
that customers running Windows 10 Version 2004 install the latest security updates
to be fully protected from this vulnerability.
– Originally posted: December 10, 2020
– Updated: July 14, 2020
– Aggregate CVE Severity Rating: Important
Further updates as of 14 July 2020
On patchday, July 14, 2020, Microsoft has released further security updates for software.
Internet Explorer Security Update KB4565479
For Internet Explorer 11, Microsoft has released the cumulative security update KB4565479. This security update resolves vulnerabilities in Internet Explorer. If you are running Windows 7 through Windows 8.1 or their server counterparts and you install the security only security updates, you should also install the IE security update.
.NET Framework Update KB4566517
Microsoft has released a .NET Framework UpdateKB4566517 for Windows 7 SP1 and Windows Server 2008 R2 SP1, but it causes installation issues. I refer to the discussion in the German blog and the forum thread at askwoody.com.
Update für Windows 7 SP1 und Windows Server 2008 R2 SP1 freigegeben, welches aber Installationsprobleme verursacht. Ich verweise auf die Diskussion hier im Blog sowie den Forenthread bei askwoody.com.
There is also a new version of the .Net Framework Update KB4565636, called KB4565636-v2 (dated July 23, 2020), which is intended to resolve installation issues that ESU licensees may encounter with KB4565636. It may be downloaded from Microsoft Update Catalog.
Similar articles:
Microsoft Office Patchday (July 7, 2020)
Microsoft Security Update Summary (14. Juli 2020)
Patchday: Windows 10-Updates (14. Juli 2020)
Patchday: Windows 8.1/Server 2012-Updates (July 14, 2020)
Patchday: Windows 7/Server 2008 R2 Updates (07/14/2020)
