September 2020 Patch Tuesday—A Higher Count of Critical Vulnerabilities

As we head into September, Microsoft fixed another large chunk of vulnerabilities this month. While none of the “Critical” vulnerabilities appear to be under active attack (at the time of review), there is a higher count of vulnerabilities Microsoft has chosen to label as “Critical”—at least in comparison to the last few months. Additionally, most vulnerabilities are marked as “Important,” with only a handful listed and “Low” or “Moderate.” All in all, there are 129 vulnerabilities fixed this month, with 23 marked “Critical” and 105 as “Important.” For September, Microsoft has listed all the “Critical” vulnerabilities as “Exploitation Less Likely.” We’ll also review a couple of “Important” fixes to pay attention to as well.

Operating systems

CVE-2020-0908 is a Windows Text Service Module Remote Code Execution Vulnerability that would allow an attacker to execute code on a target system if a user accessed a malicious website through standard attack vectors (link in instant message, email, or an attachment). This vulnerability affects Windows 10 (versions 1609-current) and all corresponding Server versions.

Microsoft COM for Windows Remote Code Execution Vulnerability: CVE-2020-0922 would grant an attacker full rights to a system if the user was tricked into accessing a specially crafted image file. This vulnerability affects Windows 7 up to the current version of Windows 10, including the corresponding Server and Core versions.

CVE-202-0997 is a Windows Camera Codec Pack Remote Code Execution Vulnerability that would grant an attacker the same rights as the logged-on user. The user would have to open a specially crafted file with the Windows Camera Codec Pack, which is unlikely. 

There are two vulnerabilities this month with the name Microsoft Windows Codecs Library Remote Code Execution Vulnerability. CVE-2020-1129 and CVE-2020-1319 have similar descriptions, granting the attacker full control over the system if the user accessed a malicious image file. These vulnerabilities affect all Windows 10 versions, including Server.

CVE-2020-1252 is a Windows Remote Code Execution Vulnerability that affects Windows 8.1 up to the current version of Windows 10, including the corresponding Server versions. If the attacker tricked the user into running an application, they’d gain full control over the system.

There are also two Windows Media Audio Decoder Remote Code Execution Vulnerability fixes this month, listed as CVE-2020-1508, and CVE-2020-1593. If a user opened a malicious webpage, the attacker would gain full control over the system. 

Browsers

CVE-2020-0878 is listed as Microsoft Browser Memory Corruption Vulnerability, and affects Internet Explorer 11, Internet Explorer 9, and the Edge-HTML version of Microsoft Edge browsers. If a user visited a malicious webpage, the attacker could gain the same rights as the user on the affected machine.

The last two browser vulnerabilities have the same description. CVE-2020-1057 and CVE-2020-1172 are titled Scripting Engine Memory Corruption Vulnerability, and would also give the attacker the same rights as the logged-on user. You can find these vulnerabilities in the Edge-HTML version of Microsoft Edge on all operating systems that support the Edge browser.

Other applications

There are a larger than usual amount of vulnerabilities in SharePoint this month, so you should give your SharePoint servers extra attention in your update cycles. Generally, when a group of vulnerabilities are found in a certain application, it’s enticing to bad actors and they may work quickly to develop exploits.

There are five vulnerabilities with the same title and description of Microsoft SharePoint Remote Code Execution Vulnerability. CVE-2020-1452, CVE-2020-1453, CVE-2020-1200, CVE-2020-1210, and CVE-2020-1576 are all issues in SharePoint’s source markup check against application packages that are uploaded to SharePoint. If a malicious user were to upload a specially crafted application package, it would run in the context of the application pool on the system, giving the attacker the ability to execute code. These vulnerabilities affect SharePoint Enterprise 2013 and 2016, SharePoint Foundation 2010 and 2013, and SharePoint 2019.

There are two more vulnerabilities in SharePoint as well this month. CVE-2020-1460 is a Microsoft SharePoint Server Remote Code Execution Vulnerability in ASP.Net that would allow a page to run in the application pool context if the user created and invoked a page on the SharePoint Server. CVE-2020-1595 is an API vulnerability that would allow the attacker to run code on the system if they submitted a malicious API request.

CVE-2020-16875 is a Microsoft Exchange Memory Corruption Vulnerability that would allow an attacker to execute code on Exchange 2016 (CU 16 and 17) and 2019 (CU 5 and 6) by sending a specially crafted email.

There are two Microsoft Dynamics vulnerabilities this month as well. CVE-2020-16857 is a Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability. This vulnerability would require an authenticated attacker to upload a file to the Dynamics server to execute code on Microsoft Dynamics server version 10.0.11. The other vulnerability, CVE-2020-16862 is a Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability that would allow an authenticated attacker to upload a specially crafted file that would run in the context of the SQL Server account that services the Dynamics server on version 9.0 of Dynamics 365.

Our final “Critical” vulnerability in this batch is a Visual Studio Remote Code Execution Vulnerability listed as CVE-2020-16874. This vulnerability would grant an attacker the same rights as a logged-on user, if that user was tricked into opening a file with Visual Studio 2012, 2013, 2017, or 2019.

Other notable vulnerabilities

Occasionally, as I sift through the vulnerabilities fixed in each Patch Tuesday release, I find a few issues that are not listed as “Critical,” but still warrant some attention. While all the vulnerabilities so far are listed as “Exploitation Less Likely,” I did see one “Important” vulnerability that Microsoft labeled as “Exploitation More Likely.” CVE-2020-0664 is an Active Directory Information Disclosure Vulnerability in the DNS component of Active Directory. If an attacker submitted a properly formed DNS request, they could uncover information about the system that might allow them to perform follow up attacks with other vulnerabilities. In fact, I saw several “Important” vulnerabilities in Active Directory this month, so while they’re not on the “Critical” list, you may want to ensure you prioritize Active Directory servers under your care, as these are prize trophies to a bad actor who’s looking to gather intel about your environment or use it as a jumping-off point to other systems in your network.

Summary

As I mentioned at the beginning of this article, there are no “emergency” vulnerabilities this month at the time of this writing, so the guidance is to ensure you’re addressing the workstation devices on their normal patch schedule (to address operating system and browser vulnerabilities), and servers on their next available maintenance window. Make sure your Active Directory servers are highest priority on the server front. If you’re running on-premises Exchange or SharePoint, they should be next on your list. 

On another note, several of this month’s vulnerabilities are privilege-specific, meaning that users who do not have administrative rights pose less of a risk than a user with full rights to a system. As is best practice, it’s a good idea to audit the rights you allow your users to have on workstation systems. While it’s more convenient to simply make them administrators, limiting their rights on workstations can reduce the risk when they inevitably click on that link or visit a malicious webpage.

As always, stay safe out there!

 

Gill Langston is head security nerd for SolarWinds MSP. You can follow Gill on Twitter at @cybersec_nerd