September Patch Tuesday brought fixes for 129 vulnerabilities in 15 different Microsoft products: Windows, Edge and Internet Explorer browsers, ChakraCore, SQL Server, Exchange Server, Office, ASP.NET, OneDrive, Azure DevOps, Visual Studio and Microsoft Dynamics.
At the same time, the company’s engineers assure that any of the vulnerabilities eliminated this month was used for real attacks. However, for the seventh month in a row, with the release of scheduled patches, Microsoft has been fixing more than 110 vulnerabilities.For example, in August Tuesday, Microsoft patched two 0-day vulnerabilities that were under attacks, and in April three 0-day vulnerabilities were under active hackers attacks. You can also remember the vulnerability with the potential of the worm in the SMBv3 protocol. Nevertheless, come on, today we have good news.
Thirty-two out of 129 problems allowed remote execution of arbitrary code, and more than 20 of them were assigned critical status, so, they were the most dangerous vulnerabilities of this month. Critical RCE bugs were found in the following products:
- Windows (CVE-2020-1252)
- Local Microsoft Dynamics 365 systems (CVE-2020-16857, CVE-2020-16862)
- Windows GDI (CVE-2020-1285)
- Microsoft SharePoint (CVE-2020-1200, CVE-2020-1210, CVE-2020-1452, CVE-2020-1453, CVE-2020-1576, CVE-2020-1595)
- Microsoft SharePoint Server (CVE-2020-1460)
- Windows Media Audio Decoder (CVE-2020-1593, CVE-2020-1508)
- Microsoft COM for Windows (CVE-2020-0922)
- Windows Text Service Module (CVE-2020-0908)
- Microsoft Windows Codecs Library (CVE-2020-1319, CVE-2020-1129)
- Windows Camera Codec Pack (CVE-2020-0997)
- Visual Studio (CVE-2020-16874)
All of the listed vulnerabilities are very dangerous, especially those that affect Windows itself, SharePoint and Dynamics 365 (since large corporate networks often use these systems).
It necessary to say that one of the most dangerous problems of this month experts call a bug in Microsoft Exchange Server (CVE-2020-16875) – an RCE vulnerability that scored 9.1 points out of 10 on the CVSS scale.
“In essence, this bug allows simply sending a specially prepared letter to a vulnerable server, and this can lead to the launch of arbitrary code with System-level rights”, — explain the information security specialists.
The issue affects Microsoft Exchange 2016 and 2019.
Less dangerous bugs that have received the status of “important” were found in Windows, Active Directory, Active Directory Federation Services (ADFS), Internet Explorer Browser Helper, Jet Database Engine, ASP.NET Core, Dynamics 365, Excel, Graphics Component, Office, Office SharePoint, SharePoint Server, SharePoint, Word, OneDrive for Windows, Scripting Engine, Visual Studio, Win32k, Windows Defender Application Control, Windows DNS, and so on.
Most of these issues are related to potential information disclosure, privilege escalation, and XSS. Certain vulnerabilities can also lead to remote code execution and can allow bypassing, spoofing, or denial of service.