129 Vulnerabilities Fixed in Microsoft’s Patch Tuesday with Critical RCE Flaws
One-hundred-and-twenty-nine vulnerabilities, of which 23 are critical, 105 important, and one of moderate severity, have been fixed in this month’s Patch Tuesday. While none are under active attack or publicly known; one of the more critical patches (CVE-2020-16865), a memory-corruption problem in Microsoft Exchange 2016 and 2019, could allow remote code execution (RCE) by simply sending an email to a victim.
If exploited, a malicious actor could run arbitrary code, and grant themselves the access needed to create new accounts, modify, access or remove data and install programmes. The security update addresses the vulnerability by fixing how Microsoft Exchange handles cmdlet (a lightweight command used in Powershell) arguments. Following suit for critically is CVE-2020-1210, a RCE vulnerability in Microsoft SharePoint that malicious actors could exploit by uploading a file to a vulnerable SharePoint site. The update addresses the vulnerability by correcting how SharePoint checks the source markup of application packages. This is just one of many critical bugs in SharePoint (versions 2010 to 2019) that could be used to compromise systems running this software; we recommend prioritising and implementing these patches as a matter of urgency.
Never Ending Patches
September’s release marks the seventh consecutive month that Microsoft has released patches for over 100 vulnerabilities, and the fourth time in a row that it has patched over 120. While the updates cover Active Directory, Internet Explorer, Microsoft Office, OneDrive and so forth, the crucial vulnerabilities lie within:
- Windows (CVE-2020-1252)
- Microsoft Windows Codecs Library (CVE-2020-1129, CVE-2020-1319)
- On-premise Microsoft Dynamics 365 systems (CVE-2020-16862, CVE-2020-16857)
- Visual Studio (CVE-2020-16874)
- Windows Graphics Device Interface (GDI) (CVE-2020-1285)
- Windows Text Service Module (CVE-2020-0908)
- Microsoft SharePoint (CVE-2020-1576, CVE-2020-1595, CVE-2020-1210, CVE-2020-1200, CVE-2020-1452, CVE-2020-1453)
- Microsoft SharePoint Server (CVE-2020-1460)
- Windows Camera Codec Pack (CVE-2020-0997)
- Microsoft COM for Windows (CVE-2020-0922)
- Windows Media Audio Decoder (CVE-2020-1508, CVE-2020-1593)
Adobe has also released a batch of security updates for a number of its products, including In-Design, Adobe Acrobat and Adobe Experience Manager, and Google releases critical updates for its Chrome browser that fixes around five security flaws that are rated high severity. Chrome users are strongly advised to update their browser if the Google icon next to the address bar contains a small upward-facing arrow.
In light of what seems like a forever increasing number of patch updates, Simon Crumplin, Secrutiny Founder, commented on the continued use of legacy software:
“Lockdown turned into many conversations where I heard these comments, ‘old apps cannot run on new OS, and it worries me’, ‘we can’t add better protection to the 24×7 systems; if they get hit manufacturing stops’ and that ‘some devices were missed in the last upgrade schedule, and now they are remote so off-limits’.
As we can see, it’s hard enough for the latest operating systems with these constant patches and updates, let alone legacy security, which is riddled with blind spots posing significant security risks.”
Simon will be presenting a webinar on protecting legacy environments in October, follow Secrutiny on social media where we will be releasing further information and providing registration details.
The increasing dependence on remote working has led to an exponential rise in phishing and social engineering attacks, as Google data reveals 350% surge in phishing websites during the pandemic. We discuss phishing, social engineering and business network manipulation, and how organisations can better prepare themselves.
Remote Work at Risk: Over 160% Rise in Use of High-Risk Apps and Websites with 64% of Workers Now Remote
The latest 2020 Edition of the Netskope Cloud and Threat Report, reveals a massive shift in user behaviour, specifically the trend of personal use of managed devices, and the increased risk that comes with this shift.
A critical privilege escalation exploit in Windows Server (CVE-2020-1472), codenamed Zerologon, allows an attacker to become a domain admin, even without any credentials.