The September 2020 Security Update Review
September 08, 2020 | Dustin ChildsSeptember is upon us and so are the latest security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of security patches for this month.
Adobe Patches for September 2020
Adobe released three patches addressing 18 unique CVEs in InDesign, Framemaker, and Adobe Experience Manager. The patch for InDesign corrects five memory corruption bugs. The patch for Framemaker fixes an out-of-bounds read and an stack-based buffer overflow. Both are rated Critical and both were reported through the ZDI program. The patch for Experience Manager fixes a variety of bugs, but most are related to cross-site scripting (XSS).
As a reminder, Adobe Flash will go out of support at the end of this year. It will be interesting to see if any further patches for the once ubiquitous media player are released.
Microsoft Patches for September 2020
For September, Microsoft released patches for 129 CVEs in Microsoft Windows, Edge (EdgeHTML-based and Chromium-based), ChakraCore, Internet Explorer (IE), SQL Server, Office and Office Services and Web Apps, Microsoft Dynamics, Visual Studio, Exchange Server, ASP.NET, OneDrive, and Azure DevOps. That brings us to seven straight months of 110+ CVEs. It also brings the yearly total close to 1,000. It certainly seems like this volume is the new normal for Microsoft patches.
Of these 129 patches, 23 are listed as Critical while 105 are listed as Important, and one is listed as Moderate in severity. A total of 12 of these bugs came through the ZDI program. None of the bugs are listed as publicly known or under active attack at the time of release. Let’s take a closer look at some of the more severe bugs in this release, starting with an Exchange bug that is sure to get a lot of attention:
- CVE-2020-16875 – Microsoft Exchange Memory Corruption VulnerabilityWithout a doubt, this is the most severe bug being addressed this month. This patch corrects a vulnerability that allows an attacker to execute code at SYSTEM by sending a specially crafted email to an affected Exchange Server. That is about the worst-case scenario for Exchange servers. We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, and that requires authentication. We’ll likely see this one in the wild soon. This should be your top priority.
*NOTE: After initial publication, Microsoft changed the description to indicate the bug can only be reached by an authenticated user. This significantly lowers the risk. However, the researcher who reported this bug also states he has a working proof-of-concept. We still recommend testing and deploying this patch quickly.
- CVE-2020-1129 – Microsoft Windows Codecs Library Remote Code Execution Vulnerability This bug was reported by ZDI vulnerability researcher Hossein Lotfi and could allow code execution if an affected system views a specially crafted image. Since this vulnerability resides in the codecs library, multiple applications could be affected. The specific flaw exists within the parsing of HEVC streams. A crafted HEVC stream in a video file can trigger an overflow of a fixed-length stack-based buffer.
- CVE-2020-0922 – Microsoft COM for Windows Remote Code Execution Vulnerability
This patch corrects a vulnerability that would allow an attacker to execute code on an affected system if they can convince a user to open a specially crafted file or lure the target to a website hosting malicious JavaScript. Since this bug resides in COM, there are likely multiple applications that could be impacted by this flaw.
- CVE-2020-0951 – Windows Defender Application Control Security Feature Bypass Vulnerability
This patch is interesting for reasons beyond just the bug being fixed. An attacker with administrative privileges on a local machine could connect to a PowerShell session and send commands to execute arbitrary code. This behavior should be blocked by WDAC, which does make this an interesting bypass. However, what’s really interesting is that this is getting patched at all. Vulnerabilities that require administrative access to exploit typically do not get patches. I’m curious about what makes this one different.
Here’s the full list of CVEs released by Microsoft for September 2020:
CVE | Title | Severity | Public | Exploited | XI - Latest | XI - Older | Type |
CVE-2020-1285 | GDI+ Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-0878 | Microsoft Browser Memory Corruption Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-0922 | Microsoft COM for Windows Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-16862 | Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-16857 | Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability | Critical | No | No | N/A | N/A | RCE |
CVE-2020-16875 | Microsoft Exchange Memory Corruption Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-1200 | Microsoft SharePoint Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-1210 | Microsoft SharePoint Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-1452 | Microsoft SharePoint Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-1453 | Microsoft SharePoint Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-1576 | Microsoft SharePoint Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-1595 | Microsoft SharePoint Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-1460 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-1129 | Microsoft Windows Codecs Library Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-1319 | Microsoft Windows Codecs Library Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-1057 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-1172 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-16874 | Visual Studio Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-0997 | Windows Camera Codec Pack Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-1508 | Windows Media Audio Decoder Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-1593 | Windows Media Audio Decoder Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-1252 | Windows Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-0908 | Windows Text Service Module Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2020-0664 | Active Directory Information Disclosure Vulnerability | Important | No | No | 1 | 1 | Info |
CVE-2020-0856 | Active Directory Information Disclosure Vulnerability | Important | No | No | 1 | 1 | Info |
CVE-2020-0718 | Active Directory Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-0761 | Active Directory Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-0837 | ADFS Spoofing Vulnerability | Important | No | No | 2 | 2 | Spoofing |
CVE-2020-1590 | Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1130 | Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1133 | Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1053 | DirectX Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1308 | DirectX Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
CVE-2020-1013 | Group Policy Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-16884 | Internet Explorer Browser Helper Object (BHO) Memory Corruption Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-1039 | Jet Database Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-1074 | Jet Database Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-1045 | Microsoft ASP.NET Core Security Feature Bypass Vulnerability | Important | No | No | 2 | 2 | SFB |
CVE-2020-1507 | Microsoft COM for Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-16858 | Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability | Important | No | No | 2 | 2 | XSS |
CVE-2020-16859 | Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability | Important | No | No | 2 | 2 | XSS |
CVE-2020-16861 | Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability | Important | No | No | 2 | 2 | XSS |
CVE-2020-16864 | Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability | Important | No | No | 2 | 2 | XSS |
CVE-2020-16871 | Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability | Important | No | No | 2 | 2 | XSS |
CVE-2020-16872 | Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability | Important | No | No | 2 | 2 | XSS |
CVE-2020-16878 | Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability | Important | No | No | 2 | 2 | XSS |
CVE-2020-16860 | Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-1224 | Microsoft Excel Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-1193 | Microsoft Excel Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-1332 | Microsoft Excel Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-1335 | Microsoft Excel Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-1594 | Microsoft Excel Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-0921 | Microsoft Graphics Component Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-1083 | Microsoft Graphics Component Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-16855 | Microsoft Office Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-1198 | Microsoft Office SharePoint XSS Vulnerability | Important | No | No | N/A | N/A | XSS |
CVE-2020-1227 | Microsoft Office SharePoint XSS Vulnerability | Important | No | No | N/A | N/A | XSS |
CVE-2020-1345 | Microsoft Office SharePoint XSS Vulnerability | Important | No | No | 2 | 2 | XSS |
CVE-2020-1482 | Microsoft Office SharePoint XSS Vulnerability | Important | No | No | 2 | 2 | XSS |
CVE-2020-1514 | Microsoft Office SharePoint XSS Vulnerability | Important | No | No | 2 | 2 | XSS |
CVE-2020-1575 | Microsoft Office SharePoint XSS Vulnerability | Important | No | No | 2 | 2 | XSS |
CVE-2020-1440 | Microsoft SharePoint Server Tampering Vulnerability | Important | No | No | 2 | 2 | Tampering |
CVE-2020-1523 | Microsoft SharePoint Server Tampering Vulnerability | Important | No | No | 2 | 2 | Tampering |
CVE-2020-1205 | Microsoft SharePoint Spoofing Vulnerability | Important | No | No | 2 | 2 | Spoofing |
CVE-2020-0790 | Microsoft splwow64 Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0875 | Microsoft splwow64 Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0766 | Microsoft Store Runtime Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1146 | Microsoft Store Runtime Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1218 | Microsoft Word Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-1338 | Microsoft Word Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-0838 | NTFS Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-16851 | OneDrive for Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-16852 | OneDrive for Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-16853 | OneDrive for Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-16879 | Projected Filesystem Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0805 | Projected Filesystem Security Feature Bypass Vulnerability | Important | No | No | 2 | 2 | SFB |
CVE-2020-1180 | Scripting Engine Memory Corruption Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-0870 | Shell infrastructure component Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1596 | TLS Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-16881 | Visual Studio JSON Remote Code Execution | Important | No | No | 2 | 2 | RCE |
CVE-2020-16856 | Visual Studio Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2020-1245 | Win32k Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
CVE-2020-0941 | Win32k Information Disclosure Vulnerability | Important | No | No | 1 | 1 | Info |
CVE-2020-1250 | Win32k Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-1471 | Windows CloudExperienceHost Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1115 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
CVE-2020-0782 | Windows Cryptographic Catalog Services Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0951 | Windows Defender Application Control Security Feature Bypass Vulnerability | Important | No | No | 2 | 2 | SFB |
CVE-2020-1031 | Windows DHCP Server Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0836 | Windows DNS Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
CVE-2020-1228 | Windows DNS Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
CVE-2020-0839 | Windows dnsrslvr.dll Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1052 | Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1159 | Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1376 | Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1491 | Windows Function Discovery Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0912 | Windows Function Discovery SSDP Provider Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1256 | Windows GDI Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0998 | Windows Graphics Component Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1091 | Windows Graphics Component Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-1097 | Windows Graphics Component Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0890 | Windows Hyper-V Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
CVE-2020-0904 | Windows Hyper-V Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
CVE-2020-1119 | Windows Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-1532 | Windows InstallService Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1034 | Windows Kernel Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0928 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-1033 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-1589 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-1592 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-16854 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-1122 | Windows Language Pack Installer Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0989 | Windows Mobile Device Management Diagnostics Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0911 | Windows Modules Installer Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1030 | Windows Print Spooler Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1038 | Windows Routing Utilities Denial of Service | Important | No | No | 2 | 2 | DoS |
CVE-2020-0648 | Windows RSoP Service Application Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1169 | Windows Runtime Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1303 | Windows Runtime Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1098 | Windows Shell Infrastructure Component Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1012 | Windows Start-Up Application Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1506 | Windows Start-Up Application Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-0914 | Windows State Repository Service Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2020-0886 | Windows Storage Services Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1559 | Windows Storage Services Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1598 | Windows UPnP Service Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2020-1152 | Windows Win32k Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
CVE-2020-16873 | Xamarin.Forms Spoofing Vulnerability | Important | No | No | 2 | 2 | Spoofing |
CVE-2020-1044 | SQL Server Reporting Services Security Feature Bypass Vulnerability | Moderate | No | No | 2 | 2 | SFB |
Of the remaining Critical-rated patches, there’s a pair of RCE bugs in Dynamics 365. However, both require the attacker to be authenticated. There are seven RCE bugs being fixed in SharePoint. One of these, CVE-2020-1460, does require authentication but the others do not. In addition to the previously mentioned codec bug, there are a few other codec-related fixes. All require viewing a specially crafted image or file. Visual Studio receives a patch to correct a code execution bug triggered when opening a crafted file. That code execution occurs at the level of the logged-on user. The remaining Critical-rated bugs involve browsers and browser components. The most interesting of these is a patch for the Windows Text Service Module that impacts the Chromium-based Edge.
Beyond the Critical-rated RCE bugs, there are also 15 Important-rated RCE bugs. Most of these are in the Office suite, but all require some form of user interaction. This usually involves opening a malicious file or otherwise viewing it. There are a couple of interesting Active Directory bugs, but both require authentication to gain code execution. If you’re concerned about insider threat, definitely prioritize these two.
Looking at the 41 EoP bugs, only a few stand out. Most require an attacker to run a specially crafted program on an affected system to elevate privileges. There are three patches for OneDrive, but you should have already received them, as OneDrive auto-updates. If you’re running an air-gapped system, you will need to apply these patches. These also only affect Per Machine Installation systems, so you may not be impacted at all. Another interesting EoP impacts Group Policy. If an attacker can intercept traffic between a domain controller and a target machine, they could create a group policy to grant administrator rights to a standard user.
Moving on to the Denial-of-Service (DoS) bugs, two impact DNS, but both require the attacker to be authenticated. The same goes for the two DoS bugs in Hyper-V. For those, an attacker that already has a privileged account on a guest operating system could cause a DoS by running their crafted application. The patch to fix a DoS in the Windows Routing Utilities requires the attacker to log on and run a program.
There are 23 information disclosure bugs receiving patches this month. The majority of these bugs simply disclose uninitialized memory. However, the write-up for the Mobile Device Management Diagnostics component simply states the disclosed information is “sensitive information.” There are three spoofing bugs being fixed, including one in Xamarin.Forms that could lead to an attacker executing Javascript on an affected system. That sounds more like RCE to me, but if you use the framework, definitely apply this patch.
In addition to the security feature bypass mentioned above, there three other patches for bypasses. The first exists in ASP.NET and could allow an attacker to set a second cookie with the name being percent encoded. The second occurs in the Projected Filesystem and would allow attackers to delete target files. The final patch fixes a bug in SQL Server that could allow the upload of restricted filetypes.
There are two tampering bugs in SharePoint Server that could allow an attacker to modify a user’s profile data. Both require the attacker to be authenticated. This month’s release is rounded out by 13 XSS bugs in Dynamics 365 (On-Premise) and SharePoint Server.
The lone advisory for this month is the revision update to the Windows Servicing Stack, which adds updates for all supported versions of Windows.
Looking Ahead
The next Patch Tuesday falls on October 13, and we’ll return with details and patch analysis then. Until then, stay safe, enjoy your patching, and may all your reboots be smooth and clean!