This month's dose of Patch Tuesday updates from Microsoft includes a critical update for Windows Server versions from 2003 to 2019. The CVE-2020-1350 bug is very grave, it resides in the Windows DNS component and requires no user interaction as it can be triggered by sending a specially crafted DNS request to an unpatched server. The attacker then basically gains full control over the server. To make matters even worse, the "SIGred" bug is wormable and security researchers speculate an attack could likely infect the whole population of vulnerable computers on the Internet in almost no time, similar to what happened with the SQL Slammer exploit in 2003:
“If I’ve understood the article correctly, calling it ‘wormable’ is actually an understatement,” Vesselin Vladimirov Bontchev, a security expert who works for the National Laboratory of Computer Virology in Bulgaria, wrote on Twitter. “It’s suitable for flash worms a la Slammer, which infected the whole population of vulnerable computers on the Internet in something like 10 minutes flat.”
Bontchev was disagreeing with fellow security researcher Marcus Hutchins, who said he thought it was more likely attackers would exploit SigRed in an attempt to wage crippling ransomware campaigns. In that scenario, attackers would take control of a network’s DNS server and then use it to push malware to all connected client computers. Slammer is a reference to SQL Slammer, a worm from 2003 that exploited two vulnerabilities in Microsoft’s SQL Server. Within 10 minutes of being activated, SQL Slammer infected more than 75,000 machines, some of them belonging to Microsoft.
Client versions of Windows 10 are not affected by this bug but the software giant does have other patches that plug holes in Windows 10. In total, this month's Patch Tuesday fixes 123 vulnerabilities.