Microsoft Patch Tuesday fixes 123 vulnerabilities, including ‘wormable’ flaw

Microsoft has patched 123 cyber security vulnerabilities in its flagship operating system and related software.

This includes ‘wormable’, a flaw that is marked as critical – Microsoft estimates that it stands a high chance of being exploited soon.

The flaw, which is referred to as CVE-2020-1350, is a remotely exploitable bug that is present in Windows Server.

By taking advantage of it, an attacker can force install malicious software, and it takes nothing more than sending a specially crafted DNS request to accomplish it.

Despite not being aware of any instances of exploitation yet, Microsoft has warned that this sort of attack is very easy to execute – therefore, the vulnerability bears a high risk of being exploited.

‘Wormable’ got its handle due to its autonomous spreading potential – it can infect vulnerable computers without user interaction.

The latest series of updates features a total of 17 security flaw patches, all of which are rated as critical.

These can be found across several programs and frameworks, such as:

  • .NET
  • Internet Explorer
  • SharePoint
  • Visual Studio
  • Microsoft Office

The updates also feature fixes for software solutions typically used by enterprises, including:

  • SAP
  • Juniper
  • F5
  • Oracle
  • Citrix

There are some other critical bugs, including:

  • CVE-2020-1410: a Windows Address Book vulnerability that can be exploited via a malicious vcard file.
  • CVE-2020-1421: malicious .LNK file protection that can be exploited by inserting an infected removable drive.
  • CVE-2020-1435 and CVE-2020-1436: an exploit duo related to taking advantage of the way that Windows works with fonts and images, which installs malware via booby-trapped documents or links.
  • CVE-2020-1463: a flaw pertaining to Windows 10 and Server 2016 that was marked as important (it has already been publicly detailed).

Before applying these updates, it is advisable to make a backup of your data.