1. 主页
  2. 保安警报
  3. 保安警报 (A20-07-05)

高危保安警报 (A20-07-05): Microsoft 产品多个漏洞 (2020年7月)


 

发布日期: 2020年 7月 15日

  
  

描述:

Microsoft 发布了安全性更新以应对多个影响 Microsoft 产品或元件的多个漏洞。有关安全性更新的列表,请参考以下网址:

https://support.microsoft.com/en-us/help/20200714/security-update-deployment-information-july-14-2020

Microsoft 于2020年7月发布的安全更新解决了 Microsoft DNS 伺服器中的一个漏洞(CVE-2020-1350)。该漏洞影响所有 Windows Server 2008 以后的Windows Server。成功利用此漏洞可使未通过认证的攻击者在目标 Windows Server 上的 Local System Account执行任意程式码。用户应立即为受影响的系统安装修补程式,以免增加受到网络攻击的风险。

 

受影响的系统:

  • Microsoft Internet Explorer 9, 11
  • Microsoft Edge (EdgeHTML-based)
  • Microsoft Windows 7, 8.1, RT 8.1, 10
  • Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019
  • Microsoft Windows Server, version 1903, version 1909, version 2004
  • Microsoft 365 Apps for Enterprise
  • Microsoft Office 2010, 2016 for Mac, 2019, 2019 for Mac
  • Microsoft Office Online Server
  • Microsoft Office Web Apps 2010, 2013
  • Microsoft Word 2010, 2013, 2013 RT, 2016
  • Microsoft Outlook 2010, 2013, 2013 RT, 2016
  • Microsoft Project 2010, 2013, 2016
  • Microsoft SharePoint Foundation 2013
  • Microsoft SharePoint Enterprise Server 2013, 2016
  • Microsoft SharePoint Server 2010, 2019
  • Microsoft Lync Server 2013
  • Microsoft Visual Studio 2015, 2017, 2019
  • Microsoft .NET Framework 2.0, 3.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8
  • .NET Core 2.1, 3.1
  • Microsoft Forefront Endpoint Protection 2010
  • Microsoft Security Essentials
  • Microsoft System Center Endpoint Protection, 2012, 2012 R2
  • Windows Defender
  • Skype for Business Server 2015, 2019
  • Visual Studio Code

 

影响:

成功利用这些漏洞可以导致远端执行程式码、提高权限、篡改、服务受阻断、泄漏资讯及仿冒诈骗,视乎攻击者利用哪个漏洞而定。

 

建议:

受影响产品的修补程式可在 Windows Update 或 Microsoft Update Catalog 获取。受影响系统的用户应遵从产品供应商的建议,立即采取行动以降低风险。

Microsoft还提供了一个基于登录索( registry-based)的解决方法,以将来自上游伺服器的 DNS 应答长度限制为 65280 字节。有关解决方法的详情,请参考以下网址:

https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability

 

进一步信息:

https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Jul
https://www.hkcert.org/my_url/zh/alert/20071501
https://us-cert.cisa.gov/ncas/current-activity/2020/07/14/microsoft-releases-july-2020-security-updates
https://us-cert.cisa.gov/ncas/current-activity/2020/07/14/microsoft-addresses-wormable-rce-vulnerability-windows-dns-server
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200008
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1025
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1032
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1036
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1040 (to CVE-2020-1043)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1085
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1147
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1240
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1249
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1267
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1326
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1330
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1333
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1336
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1342
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1344
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1346
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1347
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1349 (to CVE-2020-1375)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1381
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1382
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1384 (to CVE-2020-1416)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1418 (to CVE-2020-1424)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1426 (to CVE-2020-1439)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1442 (to CVE-2020-1451)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1454
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1456
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1458
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1461 (to CVE-2020-1463)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1465
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1468
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1469
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1481

 



标签 : Microsoft , Internet Explorer , Edge , Windows , Windows Server , Microsoft 365 Apps , Microsoft Office , Word , Outlook , Project , SharePoint , Lync , Visual Studio , .NET Framework , .NET Core , Forefront Endpoint Protection , Security Essentials , System Center Endpoint Protection , Windows Defender , Skype , Visual Studio Code
标签