An elevation of privilege vulnerability exists when Microsoft SharePoint Server and Skype for Business Server improperly handle OAuth token validation. An attacker who successfully exploited the vulnerability could bypass authentication and achieve improper access.

To exploit this vulnerability, an attacker would need to modify the token.

The update addresses the vulnerability by modifying how Microsoft SharePoint Server and Skype for Business Server validate tokens.

Information published.

An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.

To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.

The security update addresses the vulnerability by ensuring the Windows Kernel properly handles objects in memory.

Information published.

An information disclosure vulnerability exists when Microsoft Office software reads out of bound memory due to an uninitialized variable, which could disclose the contents of memory. An attacker who successfully exploited the vulnerability could view out of bound memory.

Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office software.

The security update addresses the vulnerability by properly initializing the affected variable.

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.

Information published.

A remote code execution vulnerability exists in Microsoft Outlook software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. For example, the file could then take actions on behalf of the logged-on user with the same permissions as the current user.

To exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Outlook software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.

Note that the Preview Pane is an attack vector for this vulnerability.

The security update addresses the vulnerability by correcting how Microsoft Outlook handles files in memory.

Is the Preview Pane an attack vector for this vulnerability?

Yes, the Preview Pane is an attack vector.

Information published.

A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.

To exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server.

The update addresses the vulnerability by modifying how Windows DNS servers handle requests.

This vulnerability has a CVSS Base score of 10. How bad is this?

We consider this to be a wormable vulnerability, meaning that it has the potential to spread via malware between vulnerable computers without user interaction. DNS is a foundational networking component and commonly installed on Domain Controllers, so a compromise could lead to significant service interruptions and the compromise of high level domain accounts.

Are any other non-Microsoft DNS server implementations impacted by this vulnerability?

The vulnerability stems from a flaw in Microsoft’s DNS server implementation and is not the result of a protocol level flaw, so it does not affect any other non-Microsoft DNS server implementations.

Under what circumstances would I consider using the registry key workaround?

Microsoft recommends everyone who runs DNS servers to install the security update as soon as possible. However, if you are unable to apply the patch right away, Microsoft recommends that you use the workaround as soon as possbile to protect your environment in the time before you install the updates.

Is the Windows DNS client affected by this vulnerability?

No, the vulnerability only affects Microsoft's Windows DNS Server implementation, so the Windows DNS client is not affected.

The following registry modification has been identified as a workaround for this vulnerability.

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters 
  DWORD = TcpReceivePacketSize 
  Value = 0xFF00

 Note: A restart of the DNS Service is required to take effect.

Please see 4569509 for more information.

To remove the workaround:

After applying the patch, the admin can remove the value TcpReceivePacketSize and its corresponding data so that everything else under the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters remains as before.

Information published.

An elevation of privilege vulnerability exists when the Windows Diagnostics Execution Service fails to properly sanitize input, leading to an unsecure library-loading behavior. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application.

The security update addresses the vulnerability by correcting how the Windows Diagnostics Execution Service sanitizes input, to help preclude unintended elevated system privileges.

Information published.

An information disclosure vulnerability exists when the Windows kernel fails to properly initialize a memory address. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system.

To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application.

The security update addresses the vulnerability by correcting how the Windows kernel initializes memory.

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.

Information published.

An information disclosure vulnerability exists when Windows Error Reporting improperly handles file operations.

To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to disclose information.

The security update addresses the vulnerability by correcting how Windows Error Reporting handles file operations.

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.

Information published.

A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The attacker could present to the user a removable drive, or remote share, that contains a malicious .LNK file and an associated malicious binary. When the user opens this drive(or remote share) in Windows Explorer, or any other application that parses the .LNK file, the malicious binary will execute code of the attacker’s choice, on the target system.

The security update addresses the vulnerability by correcting the processing of shortcut LNK references.

Information published.

An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context.

An attacker could exploit this vulnerability by running a specially crafted application on the victim system.

The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory.

Information published.

An elevation of privilege vulnerability exists in the way that the Windows Subsystem for Linux handles files. An attacker who successfully exploited the vulnerability could execute code with elevated privileges.

To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application.

The security update addresses the vulnerability by correcting how the Windows Subsystem for Linux handles files.

Information published.

An elevation of privilege vulnerability exists when the Windows Update Stack fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.

The update addresses the vulnerability by correcting how the Windows Update Stack handles objects in memory.

Information published.

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server.

The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.

The security update addresses the vulnerability by helping to ensure that SharePoint Server properly sanitizes web requests.

Information published.

Executive Summary

Microsoft is aware of a tampering vulnerability in the way that HTTP proxies (front-end) and web servers (back-end) that do not strictly adhere to RFC standards handle sequences of HTTP requests received from multiple sources. An attacker who successfully exploited the vulnerability could combine multiple requests into the body of a single request to a web server, allowing them to modify responses or retrieve information from another user's HTTP session.

To exploit the vulnerability against an IIS Server hosting a website, an unauthenticated attacker could send a specially crafted request to a targeted IIS Server serviced by a front-end load balancer or proxy that does not strictly adhere to RFC standards.

Recommended Actions

Microsoft recommends that administrators review front-end environmental configurations, and if necessary, enable the request smuggling filter. Testing is required to determine that front-end load balancers and proxies do not forward malformed requests; these requests will be rejected when the filter is enabled, and may disrupt communications.

Enable the request smuggling filter on your web server by using the Registry Editor

Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

1. Click Start, click Run, type Regedit in the Open box, and then click OK.
2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
3. Set DWORD type value DisableRequestSmuggling to one of the following:
   • Set to 0 to disable the filter
   • Set to 1 to enable the filter
4. Exit Registry Editor.
5. Restart the computer.

Information published.

An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.

To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.

The security update addresses the vulnerability by ensuring the Windows WalletService properly handles objects in memory.

Information published.

An elevation of privilege vulnerability exists when the Windows Modules Installer improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges.

To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application.

The security update addresses the vulnerability by ensuring the Windows Modules Installer properly handles file operations.

What updates do I need to install to be protected from this vulnerability?

To be protected from this vulnerability, customers need to install the July 2020 Servicing Stack Updates (SSUs) listed in the Security Updates table.

Do I need to install the Servicing Stack Updates and the July Security Updates in any particular order?

SSUs should always be installed before any new update for Windows, including the latest cumulative update (LCU), Monthly Rollup, or Security Update.

Information published.

An elevation of privilege vulnerability exists when the Windows Storage Services improperly handle file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges.

To exploit the vulnerability, an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application.

The security update addresses the vulnerability by ensuring the Windows Storage Services properly handle file operations.

Information published.

An information disclosure vulnerability exists when the Windows Graphics component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system.

An authenticated attacker could exploit this vulnerability by running a specially crafted application.

The update addresses the vulnerability by correcting how the Windows Graphics Component handles objects in memory.

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.

Information published.