Microsoft has issued patches to correct 129 vulnerabilities on September 2020 Patch Tuesday, 32 of which are remote code execution vulnerabilities and 20 have been rated critical. The vulnerabilities are spread across 15 products.
While there is a large number of critical vulnerabilities in this month’s round of updates, none of the vulnerabilities are currently being exploited in the wild, although exploits for some of the flaws are expected to be developed quickly so prompt patching is essential.
September 2020 Patch Tuesday: Critical Vulnerabilities
The critical flaws affect Windows (CVE-2020-1252), Windows Graphics Device Interface (GDI) (CVE-2020-1285), Windows Media Audio Decoder (CVE-2020-1593, CVE-2020-1508), Microsoft Windows Codecs Library (CVE-2020-1319, CVE-2020-1129), Windows Text Service Module (CVE-2020-0908), Windows Camera Codec Pack (CVE-2020-0997), On-premise Microsoft Dynamics 365 systems (CVE-2020-16857, CVE-2020-16862), Microsoft SharePoint (CVE-2020-1200, CVE-2020-1210, CVE-2020-1452, CVE-2020-1453, CVE-2020-1576, CVE-2020-1595), Microsoft SharePoint Server (CVE-2020-1460), Microsoft COM for Windows (CVE-2020-0922), Visual Studio (CVE-2020-16874), and Microsoft Exchange Server (CVE-2020-16875).
While all of the above vulnerabilities are serious and warrant immediate patching, there are some that stand out as being particularly dangerous.
Arguably the most serious of the vulnerabilities is CVE-2020-16875, which is a remote code execution vulnerability affecting Microsoft Exchange Server 2016 (Cumulative Update 16 & 17) and Microsoft Exchange Server 2019 (Cumulative Update 5 & 6).
If exploited, an attacker could execute arbitrary code in the context of the System user. This is a memory corruption vulnerability which could be exploited simply by sending a specially crafted email to a target. Exploitation of the vulnerability would allow a remote attacker to install programs, create new accounts, and access, modify and delete data. This vulnerability is one of the most likely flaws to be exploited by hackers, not only due to the severity of the flaw and ease of exploitation, but also due to the number of businesses that are using MS Exchange 2016 and 2019. The flaw has been assigned a CVSS V3 base score of 9.1 out of 10.
The flaws in SharePoint should also be prioritized. There are 7 SharePoint flaws, 6 of which have been rated critical and do not require authentication. SharePoint is also extensively used by businesses, so these flaws are likely to be targeted. The critical RCE flaw, CVE-2020-1210, is one of the most serious SharePoint flaws, having been assigned a CVSS v3 base score of 9.9. This vulnerability is due to the failure of SharePoint to check an application package’s source markup.
While only assigned a CVSS score of 8.8, the Windows Codecs Library flaw, CVE-2020-1129, is a concern as the Codecs Library is used by a wide range of applications. The flaw can be exploited by convincing a user to view a specially crafted video clip.
The Microsoft COM for Windows RCE vulnerability, CVE-2020-0922, could be exploited by tricking a user into visiting a malicious website containing malicious JavaScript. The flaw is due to how Microsoft COM handles objects in the memory.
The Windows Text Service Module RCE flaw, CVE-2020-0908, could also be exploited by tricking a user into visiting a malicious site, one that contains malicious user-provided content or advertisements, via a phishing email for example.