Patch Tuesday September Brings 129 MSFT Bugs, 23 Critical

“… That doesn’t fairly make it wormable, but it’s about the worst-case situation for Trade servers”

Microsoft’s “Patch Tuesday” is when yet again (probably by now unsurprisingly) a whopper, with 129 vulnerabilities to resolve 23 of them rated important and a chunky 105 mentioned as critical — up from August’s tally of one hundred twenty CVEs, with 17 viewed as important.

If there is a silver lining to this cloud it is that — contrary to previous thirty day period — none are mentioned as under energetic assault. But the launch brings Microsoft’s tally of bugs needing fixing this yr to 991, and consists of patches for some severe vulnerabilities that no shortage of very well-resourced lousy actors will be on the lookout to quickly reverse engineer.

In the true entire world, of class, operating out what to patch is a perennial dice-roll (for those not in the sunlit uplands the place rebooting units at the simply click of It is fingers is achievable for most it’s not) and as one contributor not too long ago famous in a energetic discussion around danger prioritisation on the OSS-protection mailing list, “the frameworks which do exist, this sort of as CVSS, are entirely arbitrary and unable to take into account information about the assortment of conclusion person deployments”. (Many others may perhaps disagree. Really feel absolutely free to weigh in).

No matter, there is heaps to patch! Below are some that stand out.

CVE-2020-16875 – Microsoft Trade Memory Corruption Vulnerability. CVSS, 9.one.

This bug allows an attacker to execute code at Technique by sending a specially crafted email to an impacted Trade Server (2016, 2019).

As Pattern Micro’s ZDI notes: “That doesn’t fairly make it wormable, but it’s about the worst-case situation for Trade servers.

“We have found the earlier patched Trade bug CVE-2020-0688 applied in the wild, and that demands authentication. We’ll very likely see this one in the wild soon.”

Credit history for the uncover goes to the prolific Steven Seeley. 

CVE-2020-1452 // -1453 // -1576 // -1200 // -1210 // -1595 – Microsoft SharePoint Distant Code Execution Vulnerability

CVE-2020-1452, 1453, 1576, 1200, 1210, and 1595 are all important distant code execution vulnerabilities discovered in Microsoft SharePoint.

As patch management expert Automox notes: “The result of deserializing untrusted information input, the vulnerability allows arbitrary code execution in the SharePoint application pool and server farm account. Versions of the assault this sort of as CVE-2020-1595 (API unique), mirror the importance of patching this vulnerability to decrease the danger surface.”

Credit history to Oleksandr Mirosh

CVE-2020-0922 — Distant Code Execution Vulnerability in Microsoft COM for Windows. CVSS eight.eight

This vulnerability impacts Windows 7 – ten and Windows Server 2008 through 2019. The vulnerability exists in the way Microsoft COM handles objects in memory and, when exploited, would allow an attacker to execute arbitrary scripts on a victim machine. As protection intelligence organization Recorded Future’s Allan Liska notes: “To exploit a vulnerability an attacker would will need to get a victim to execute a destructive JavaScript on the victim’s machine. If this vulnerability is finally weaponized, it would be in line with recent tendencies of attackers using so-known as fileless malware in their assaults by sending phishing emails with destructive scripts as attachments.”

Credit history, Yuki Chen, 360 BugCloud

Intel in the meantime patched a important (CVSS 9.eight) bug in its Energetic Management Engineering (AMT) which allows unauthenticated people escalate privilege “via community access”. The bug, which has shades of colossal “backdoor” CVE-2017-5689 to it, was claimed internally and is staying patched by way of Intel-SA-00404. 

Microsoft’s Patch Tuesday September steering begins below.