The September 2020 Security Update Review

September is upon us and so are the latest security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of security patches for this month.

Adobe Patches for September 2020

Adobe released three patches addressing 18 unique CVEs in InDesign, Framemaker, and Adobe Experience Manager. The patch for InDesign corrects five memory corruption bugs. The patch for Framemaker fixes an out-of-bounds read and an stack-based buffer overflow. Both are rated Critical and both were reported through the ZDI program. The patch for Experience Manager fixes a variety of bugs, but most are related to cross-site scripting (XSS).

As a reminder, Adobe Flash will go out of support at the end of this year. It will be interesting to see if any further patches for the once ubiquitous media player are released.

Microsoft Patches for September 2020

For September, Microsoft released patches for 129 CVEs in Microsoft Windows, Edge (EdgeHTML-based and Chromium-based), ChakraCore, Internet Explorer (IE), SQL Server, Office and Office Services and Web Apps, Microsoft Dynamics, Visual Studio, Exchange Server, ASP.NET, OneDrive, and Azure DevOps. That brings us to seven straight months of 110+ CVEs. It also brings the yearly total close to 1,000. It certainly seems like this volume is the new normal for Microsoft patches. 

Of these 129 patches, 23 are listed as Critical while 105 are listed as Important, and one is listed as Moderate in severity. A total of 12 of these bugs came through the ZDI program. None of the bugs are listed as publicly known or under active attack at the time of release. Let’s take a closer look at some of the more severe bugs in this release, starting with an Exchange bug that is sure to get a lot of attention:

-       CVE-2020-16875 – Microsoft Exchange Memory Corruption VulnerabilityWithout a doubt, this is the most severe bug being addressed this month. This patch corrects a vulnerability that allows an attacker to execute code at SYSTEM by sending a specially crafted email to an affected Exchange Server. That is about the worst-case scenario for Exchange servers. We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, and that requires authentication. We’ll likely see this one in the wild soon. This should be your top priority.

*NOTE: After initial publication, Microsoft changed the description to indicate the bug can only be reached by an authenticated user. This significantly lowers the risk. However, the researcher who reported this bug also states he has a working proof-of-concept. We still recommend testing and deploying this patch quickly.

 -       CVE-2020-1129 – Microsoft Windows Codecs Library Remote Code Execution Vulnerability This bug was reported by ZDI vulnerability researcher Hossein Lotfi and could allow code execution if an affected system views a specially crafted image. Since this vulnerability resides in the codecs library, multiple applications could be affected. The specific flaw exists within the parsing of HEVC streams. A crafted HEVC stream in a video file can trigger an overflow of a fixed-length stack-based buffer.

-       CVE-2020-0922 – Microsoft COM for Windows Remote Code Execution Vulnerability
This patch corrects a vulnerability that would allow an attacker to execute code on an affected system if they can convince a user to open a specially crafted file or lure the target to a website hosting malicious JavaScript. Since this bug resides in COM, there are likely multiple applications that could be impacted by this flaw.

-       CVE-2020-0951 – Windows Defender Application Control Security Feature Bypass Vulnerability
This patch is interesting for reasons beyond just the bug being fixed. An attacker with administrative privileges on a local machine could connect to a PowerShell session and send commands to execute arbitrary code. This behavior should be blocked by WDAC, which does make this an interesting bypass. However, what’s really interesting is that this is getting patched at all. Vulnerabilities that require administrative access to exploit typically do not get patches. I’m curious about what makes this one different.

Here’s the full list of CVEs released by Microsoft for September 2020:

Of the remaining Critical-rated patches, there’s a pair of RCE bugs in Dynamics 365. However, both require the attacker to be authenticated. There are seven RCE bugs being fixed in SharePoint. One of these, CVE-2020-1460, does require authentication but the others do not. In addition to the previously mentioned codec bug, there are a few other codec-related fixes. All require viewing a specially crafted image or file. Visual Studio receives a patch to correct a code execution bug triggered when opening a crafted file. That code execution occurs at the level of the logged-on user. The remaining Critical-rated bugs involve browsers and browser components. The most interesting of these is a patch for the Windows Text Service Module that impacts the Chromium-based Edge. 

Beyond the Critical-rated RCE bugs, there are also 15 Important-rated RCE bugs. Most of these are in the Office suite, but all require some form of user interaction. This usually involves opening a malicious file or otherwise viewing it. There are a couple of interesting Active Directory bugs, but both require authentication to gain code execution. If you’re concerned about insider threat, definitely prioritize these two. 

Looking at the 41 EoP bugs, only a few stand out. Most require an attacker to run a specially crafted program on an affected system to elevate privileges. There are three patches for OneDrive, but you should have already received them, as OneDrive auto-updates. If you’re running an air-gapped system, you will need to apply these patches. These also only affect Per Machine Installation systems, so you may not be impacted at all. Another interesting EoP impacts Group Policy. If an attacker can intercept traffic between a domain controller and a target machine, they could create a group policy to grant administrator rights to a standard user.

Moving on to the Denial-of-Service (DoS) bugs, two impact DNS, but both require the attacker to be authenticated. The same goes for the two DoS bugs in Hyper-V. For those, an attacker that already has a privileged account on a guest operating system could cause a DoS by running their crafted application. The patch to fix a DoS in the Windows Routing Utilities requires the attacker to log on and run a program.

There are 23 information disclosure bugs receiving patches this month. The majority of these bugs simply disclose uninitialized memory. However, the write-up for the Mobile Device Management Diagnostics component simply states the disclosed information is “sensitive information.” There are three spoofing bugs being fixed, including one in Xamarin.Forms that could lead to an attacker executing Javascript on an affected system. That sounds more like RCE to me, but if you use the framework, definitely apply this patch.

In addition to the security feature bypass mentioned above, there three other patches for bypasses. The first exists in ASP.NET and could allow an attacker to set a second cookie with the name being percent encoded. The second occurs in the Projected Filesystem and would allow attackers to delete target files. The final patch fixes a bug in SQL Server that could allow the upload of restricted filetypes. 

There are two tampering bugs in SharePoint Server that could allow an attacker to modify a user’s profile data. Both require the attacker to be authenticated. This month’s release is rounded out by 13 XSS bugs in Dynamics 365 (On-Premise) and SharePoint Server.

The lone advisory for this month is the revision update to the Windows Servicing Stack, which adds updates for all supported versions of Windows.

Looking Ahead

The next Patch Tuesday falls on October 13, and we’ll return with details and patch analysis then. Until then, stay safe, enjoy your patching, and may all your reboots be smooth and clean!