Fresh off the three day Labor Day weekend, many of you are dealing with the September 2020 release of Microsoft’s monthly Patch Tuesday updates. There are 129 updates in this month’s roll-up, a slight increase over the 120 released in August. Of those, 32 CVEs can be executed by attackers over the network, and 20 earned the dreadful, “critical” severity rating, and increase over the 17 critical CVEs in the August update. At least 5 of the CVEs require “further steps to take after installing the updates,” so like many others, this one will be a fun one.
Here are the 20 most severe CVEs in the September 2020 Patch Tuesday update:
- CVE-2020-16875 – Exchange Server Remote Code Execution Vulnerability. CVSS score of 8.4. Attacked can run arbitrary code by sending specially crafted email to a vulnerable server.
- CVE-2020-1252 – Windows Remote Code Execution Vulnerability. CVSS score of 7.8. Requires some social engineering to trick user into running a specially crafted application.
- CVE-2020-1200 – Microsoft Sharepoint Remote Code Execution Vulnerability. CVSS score of 8.6. Allows an attacker to run arbitrary code due to the software failing to check the source markup of an application package.
- CVE-2020-1210 – Microsoft Sharepoint Remote Code Execution Vulnerability. CVSS score of 9.9. Allows an attacker to run arbitrary code due to the software failing to check the source markup of an application package.
- CVE-2020-1452 – Microsoft Sharepoint Remote Code Execution Vulnerability. CVSS score of 8.6. Allows an attacker to run arbitrary code due to the software failing to check the source markup of an application package.
- CVE-2020-1453 – Microsoft Sharepoint Remote Code Execution Vulnerability. CVSS score of 8.6. Allows an attacker to run arbitrary code due to the software failing to check the source markup of an application package.
- CVE-2020-1576 – Microsoft Sharepoint Remote Code Execution Vulnerability. CVSS score of 8.5. Allows an attacker to run arbitrary code due to the software failing to check the source markup of an application package.
- CVE-2020-1595 – Microsoft Sharepoint Remote Code Execution Vulnerability. CVSS score of 9.9. Allows an attacker to run arbitrary code due to the software failing to check the source markup of an application package. Requires that user access a susceptible API on an affected version of SharePoint with specially-formatted input.
- CVE-2020-1460 – Microsoft Sharepoint Remote Code Execution Vulnerability. CVSS score of 8.6. Sharepoint fails to filter unsafe ASP.Net web controls allowing hackers to perform actions in the security context of Sharepoint.
- CVE-2020-1285 – GDI+ Remote Code Execution Vulnerability. CVSS score of 8.4. Allows attacker to take control of the system, installing programs, changing/deleting data, and creating new accounts.
- CVE-2020-1593 – Windows Media Audio Decoder Remote Code Execution Vulnerability. CVSS score of 7.6. Decoder improperly handles objects allowing attacker to take control of the system.
- CVE-2020-0997 – Windows Camera CODEC Pack Remote Code Execution Vulnerability. CVSS score of 7.8. Codec improperly handles objects allowing attacker to take control of the system and/or install arbitrary programs or code.
- CVE-2020-1129 – Windows Codecs Library Remote Code Execution Vulnerability. CVSS score of 8.8. Allows adversary to access information that can be used to further compromise the user’s system.
- CVE-2020-1319 – Windows Codecs Library Remote Code Execution Vulnerability. CVSS score of 8.8. Allows adversary to take control of the user’s system.
- CVE-2020-0908 – Windows Text Service Module Remote Code Execution Vulnerability. CVSS score of 7.5. Allows adversary to gain execution on a victim system.
- CVE-2020-0922 – Microsoft COM for Windows Remote Code Execution Vulnerability. CVSS score of 8.8. Allows adversary to execute arbitrary code on the target system.
- CVE-2020-1508 – Windows Media Audio Decoder Remote Code Execution Vulnerability. CVSS score of 7.6. Convincing user to open a specially crafted document or website allows adversary to take control of the user’s system.
- CVE-2020-16857 – Microsoft Dynamics 365 for Finance and Operations Remote Code Execution Vulnerability. CVSS score of 7.1. Allows adversary to gain remote code execution capabilities on the victim server.
- CVE-2020-16862 – Visual Studio Remote Code Execution Vulnerability. CVSS score of 7.8. Allows adversary to run arbitrary code in the context of the logged in user.
- CVE-2020-16853 – OneDrive for Windows Elevation of Privilege Vulnerability. CVSS score of 7.1. Allows adversary to overwrite a file with an elevated status.
For all enterprises, the usual step of backing up and then patching impacted systems is recommended, including following any additional steps provided by Microsoft in order to fully mitigate the vulnerability.
As always, Balbix customers can quickly and easily identify any vulnerable systems by typing the CVE number into Balbix search. The result will return a list of systems that have not yet been patched. Dynamic groups can be created to track patch status – these groups will automatically update whenever an unpatched system joins the network, or whenever systems are patched to no longer be vulnerable.