September Microsoft Security Patches Address 129 Vulnerabilities
Microsoft on Tuesday released security patches to address 129 common vulnerabilities and exposures (CVEs) this month in its software products.
As usual, the security patches are for Windows, Microsoft's browsers and Microsoft Office. Server products getting patches this month include Exchange Server, SharePoint Server, SQL Server, Windows Server and Microsoft Dynamics. Visual Studio is also getting a security fix. A summary of the affected products can be found in Microsoft's "Release Notes" document. Additional notes on patch supersedence, reboots and "known issues" can be found in Microsoft's "Deployment Info" document.
The high number of fixes in the September bundle continues a 2020 trend of hefty patch deliveries from Microsoft. This September batch represents the seventh consecutive month this year in which the patch count has exceeded 110 CVEs, according to Dustin Childs of Trend Micro's Zero Day Initiative blog. Such a trend appears to be "the new normal for Microsoft patches," he added.
Of the 129 CVEs, 23 are rated "Critical," while 105 are deemed "Important." There's also one vulnerability that's listed as "Moderate." The good news, for now, is that none of the vulnerabilities were previously known to be under active attack.
The bad news is that many of the patches are for Microsoft's server products, noted Richard Tsang, a senior software engineer at security solutions firm Rapid7. Patching servers may take more planning, he noted.
Microsoft often sends security advisories at the same time that it releases its monthly security patch bundles, but this time there's only one advisory that was released. It's Security Advisory ADV990001, which lists the latest servicing stack updates for Windows systems. These are patches for the Windows Update patching mechanism itself, which Microsoft characterizes as "Critical" to apply.
Update 9/9: Microsoft is packaging the latest Windows 10 servicing stack updates with the latest cumulative updates, starting with its Sept. 2020 releases, according to a Tuesday announcement. With this approach, the promise is that IT pros won't have to check to ensure that the latest servicing stack update is installed first, since both will be packaged together.
Notable "Critical" Server Patches
Windows operating systems and Microsoft's browsers are the software products getting the bulk of the Critical fixes this month, according to Todd Schell, a senior product manager at security solutions firm Ivanti.
Security analysts this month appeared to agree that the worst vulnerability this month can be found in Exchange Server 2016 and 2019 products, namely CVE-2020-16875. It's a Critical flaw that's ranked 9.1 (out of 10) on the Common Vulnerability Scoring System scale, Tsang noted, via e-mail. An attacker could use this memory corruption issue to run code on a system remotely, which can be triggered by sending a "specially crafted email" to the server. Such a scenario "doesn't quite make it wormable, but it's about the worst-case scenario for Exchange servers," noted Childs.
SharePoint Server is getting patches this month for seven Critical-rated vulnerabilities that could get exploited for remote code execution, Tsang noted. They include CVE-2020-1576, CVE-2020-1452, CVE-2020-1453, CVE-2020-1200, CVE-2020-1460, CVE-2020-1595 and CVE-2020-1210. The latter vulnerability has a Common Vulnerability Scoring System ranking of 9.9 (out of 10), Schell noted. There's also an Important patch for "one tampering vulnerability (CVE-2020-1523)" in SharePoint Server products. Organizations don't have any mitigation stopgaps with regard to the Critical SharePoint flaws, so they should just apply the patches, noted Nick Colyer, a senior product marketing manager with security solutions firm Automox, via e-mail.
Microsoft Dynamics on-premises servers have two Critical-rated remote code execution vulnerabilities, namely CVE-2020-16857 and CVE-2020-16862, which could get triggered by sending a "specifically created file" to the servers. It could lead to the stealing of documents and data, noted Richard Melick a senior technical product manager at Automox. "Due to the nature and use of Microsoft Dynamics in the financial industry, a theft like this could spell trouble for any company of any size," he added.
A couple of the Critical fixes concern Windows components. There's a remote code execution vulnerability in the Windows Codecs Library (CVE-2020-1129), which can affect "multiple applications," according to Childs. It's triggered by a buffer overflow during the "parsing of HEVC streams," he explained. Another Critical one is a patch for Microsoft COM in Windows systems (CVE-2020-0922), which could lead to remote code execution if a user gets tricked into opening a malicious file or visiting a malicious Web site.
Notable "Important" Items
Windows Defender Application Control (WDAC) has a vulnerability that would permit an attacker to bypass WDAC enforcement. However, it's just rated Important as an attacker would need to have administrative privileges on a local machine with access to PowerShell to execute commands and install code. This patch for WDAC is somewhat unique, though, because "vulnerabilities that require administrative access to exploit typically do not get patches" from Microsoft, Childs explained.
There are two Important-rated vulnerabilities (CVE-2020-0664 and CVE-2020-0856) associated with Active Directory in Windows Server systems that could lead to information disclosure. Due to the prevalence of Active Directory use, it should be "addressed quickly," according to Melick. "Combining this exploit with another could give an attacker all the tools they need to further exploit the victim system, giving them unprecedented access to corporate networks," he added.
Flash Support Ends in December
Another notable item, but unrelated to this month's patch bundle, is the end of support for the Adobe Flash Player. The video plug-in will lose patch support after Dec. 31, 2020.
The impending demise of Flash isn't news, as Adobe had announced the product's end back in July 2017. Other technologies, such as "HTML5, WebGL and WebAssembly" are taking Flash's place in browsers. Organizations still clinging to Flash after the December end date won't get security patches from Adobe, but there is possible support from Adobe's partner, Harman, for organizations with business processes still tied to Flash, as explained in this Adobe blog post.
In a Friday announcement, Microsoft affirmed that it won't support the Flash Player in its Microsoft Edge and Internet Explorer 11 browsers after the December end date. For customers getting supported by Harman, Microsoft will permit Flash to run as a Microsoft Edge plug-in using an Internet Explorer mode feature. However, it's still planning to remove "APIs, group policies and user interfaces" associated with the Adobe Flash Player in the "summer of 2021."
Schell noted that existing Flash installations will get removed via the Windows Update service. He added that organizations can "expect some sort of removal tools to become available over the next few months and likely a version of the Microsoft browsers that remove Flash."
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.