Microsoft’s Patch Tuesday updates for September 2020 fix 129 vulnerabilities, but the company says none of them has been exploited in attacks or made public before patches were released.
The tech giant has assigned a critical severity rating to 23 of the vulnerabilities affecting Windows, web browsers, Dynamics 365, SharePoint, Exchange and Visual Studio. Each of the critical flaws can be exploited for remote code execution.
Trend Micro’s Zero Day Initiative (ZDI) has pointed out that with this month’s patches Microsoft addressed nearly 1,000 CVEs so far this year. This is the seventh month in a row with over 110 patched vulnerabilities.
Several industry professionals have shared some thoughts on this month’s patches and what they believe to be the most interesting vulnerabilities.
Richard Tsang, senior software engineer, Rapid7:
“Microsoft’s 129-Vulnerability September 2020 Update Tuesday continues the trend of a predictably high number of vulnerabilities being patched. Following standard procedures of scheduling patches for Windows Operating Systems would close the door against 60%+ vulnerabilities. However, there are notable server product-based vulnerabilities this month that may require a bit more forethought when scheduling a patching window.
The first vulnerability to note comes from Microsoft Exchange Server. CVE-2020-16875 is a CVSS 9.1-scoring remote code execution vulnerability. In this scenario, a specially crafted email sent to a vulnerable Exchange server could allow arbitrary code to run in the context of the System user due to improper handling of objects in memory. Noted as affecting supported versions of Exchange Server 2016/2019 Cumulative Update levels, this is something to prioritize patching early.
Then SharePoint slides causing an uptick in Critical RCE and/or high CVSS scoring vulnerabilities. Unfortunately, this set of 7 remote code execution vulnerabilities (CVE-2020-1576, CVE-2020-1452, CVE-2020-1453, CVE-2020-1200, CVE-2020-1460, CVE-2020-1210, CVE-2020-1595) and the one tampering vulnerability (CVE-2020-1523) is not marked as applying to the same set of vulnerable SharePoint editions each time. Getting an accurate risk score based off of those vulnerabilities to prioritize would require a bit more work. However, given the severity of these vulnerabilities, it’s recommended to patch up SharePoint servers next just to be safe. All these RCE vulnerabilities, when exploited, could allow arbitrary code to run under the context of the SharePoint application pool, and affect different aspects of the products from when source markup is validated (CVE-2020-1210) to handling of untrusted data against susceptible API endpoints (CVE-2020-1595).
Overall, there’s definitely an uptick of high severity server-based products requiring patching this month which may make downtime scheduling a bit more difficult than previous months.”
Todd Schell, senior product manager, security, Ivanti:
“While there are no public disclosures or exploited CVEs this month there are a few issues to be concerned about. Microsoft SharePoint has a number of Critical vulnerabilities this month including CVE-2020-1210 which has a CVSS score of 9.9. Microsoft Exchange has one CVE with a CVSS score of 9.1 (CVE-2020-16875) which could allow remote code execution if an attacker sends a specially crafted email to the affected Exchange Server. Also, CVE-2020-0761 is another remote code execution vulnerability affecting Active Directory when integrated with DNS (ADIDNS). This vulnerability has a CVSS score of 8.8.”
Allan Liska, senior security architect, Recorded Future:
“CVE-2020-16875 is a remote code execution vulnerability impacting Microsoft Exchange 2016 and 2019. The vulnerability is a memory corruption vulnerability, which means all an attacker has to do is send a specially crafted email to exploit it. Both cybercriminal and nation state threat actors are looking to exploit Microsoft Exchange because so many large enterprises rely on it. For example, CVE-2020-0688, was disclosed in February of this year and by early March exploits were being discussed on underground forums, and vulnerable systems were being scanned and exploited.
CVE-2020-1252 is a remote code execution vulnerability in the way Windows handles objects in memory. This vulnerability impacts Windows 7 – 10 and Windows Server 2008 – 2019. While this vulnerability impacts every modern version of Windows, it is difficult to execute. In order to exploit the vulnerability an attacker would have to convince a victim to download and install a malicious application. While the use of malicious applications has increased in usage as an attack vector, most of these involve the application itself conducting malicious activity rather than relying on an exploit built-in to the application.
CVE-2020-1200, CVE-2020-1210, CVE-2020-1452, CVE-2020-1453, CVE-2020-1576 and CVE-2020-1595 are all remote code execution vulnerabilities impacting Microsoft Sharepoint 2010 – 2019. CVE-2020-1200, CVE-2020-1210, CVE-2020-1452, CVE-2020-1453, and CVE-2020-1576 are vulnerabilities in the way in which SharePoint fails to check the source markup of an application loaded to the server. Exploitation of the vulnerabilities would allow an attacker to run arbitrary code on the server. CVE-2020-1595 is a vulnerability in the way that SharePoint API monitors for unsafe data. To exploit the vulnerability an attacker would need to access an unpatched SharePoint server with a specially crafted API request. As Microsoft has noted, ransomware actors continue to target and exploit SharePoint vulnerabilities, so these should be high priority patches.”