129 Vulnerabilities Fixed in Microsoft’s Patch Tuesday with Critical RCE Flaws

September 2020

One-hundred-and-twenty-nine vulnerabilities, of which 23 are critical, 105 important, and one of moderate severity, have been fixed in this month’s Patch Tuesday. While none are under active attack or publicly known; one of the more critical patches (CVE-2020-16865), a memory-corruption problem in Microsoft Exchange 2016 and 2019, could allow remote code execution (RCE) by simply sending an email to a victim.

If exploited, a malicious actor could run arbitrary code, and grant themselves the access needed to create new accounts, modify, access or remove data and install programmes. The security update addresses the vulnerability by fixing how Microsoft Exchange handles cmdlet (a lightweight command used in Powershell) arguments. Following suit for critically is CVE-2020-1210, a RCE vulnerability in Microsoft SharePoint that malicious actors could exploit by uploading a file to a vulnerable SharePoint site. The update addresses the vulnerability by correcting how SharePoint checks the source markup of application packages. This is just one of many critical bugs in SharePoint (versions 2010 to 2019) that could be used to compromise systems running this software; we recommend prioritising and implementing these patches as a matter of urgency.

Never Ending Patches

September’s release marks the seventh consecutive month that Microsoft has released patches for over 100 vulnerabilities, and the fourth time in a row that it has patched over 120. While the updates cover Active Directory, Internet Explorer, Microsoft Office, OneDrive and so forth, the crucial vulnerabilities lie within:

Adobe has also released a batch of security updates for a number of its products, including In-Design, Adobe Acrobat and Adobe Experience Manager, and Google releases critical updates for its Chrome browser that fixes around five security flaws that are rated high severity. Chrome users are strongly advised to update their browser if the Google icon next to the address bar contains a small upward-facing arrow.

Legacy Software

In light of what seems like a forever increasing number of patch updates, Simon Crumplin, Secrutiny Founder, commented on the continued use of legacy software: 

“Lockdown turned into many conversations where I heard these comments, ‘old apps cannot run on new OS, and it worries me’, ‘we can’t add better protection to the 24×7 systems; if they get hit manufacturing stops’ and that ‘some devices were missed in the last upgrade schedule, and now they are remote so off-limits’.

As we can see, it’s hard enough for the latest operating systems with these constant patches and updates, let alone legacy security, which is riddled with blind spots posing significant security risks.”

Simon will be presenting a webinar on protecting legacy environments in October, follow Secrutiny on social media where we will be releasing further information and providing registration details.