Tech
Microsoft September 2020 Patch Tuesday fixes 129 vulnerabilities
Twenty critical remote code execution bugs have been patched this month, including in Windows and SharePoint enterprise servers.
Microsoft has published today its monthly batch of security updates, also known as Patch Tuesday. This month, the OS maker patched 129 vulnerabilities across 15 products, ranging from Windows to ASP.NET.
Of note is that this month, of the 129 vulnerabilities, 32 were classified as remote code execution issues, which are bugs that permit attackers to exploit vulnerable applications remotely, over a network.
Of these 32, 20 also received a severity classification of "critical," the highest rating on Microsoft's scale, making the 20 vulnerabilities some of the most important bugs patched across Microsoft products this month.The list of 20 critical RCEs includes bugs in:
- Windows (CVE-2020-1252)
- On-premise Microsoft Dynamics 365 systems (CVE-2020-16857, CVE-2020-16862)
- Windows Graphics Device Interface (GDI) (CVE-2020-1285)
- Microsoft SharePoint (CVE-2020-1200, CVE-2020-1210, CVE-2020-1452, CVE-2020-1453, CVE-2020-1576, CVE-2020-1595)
- Microsoft SharePoint Server (CVE-2020-1460)
- Windows Media Audio Decoder (CVE-2020-1593, CVE-2020-1508)
- Microsoft COM for Windows (CVE-2020-0922)
- Windows Text Service Module (CVE-2020-0908)
- Microsoft Windows Codecs Library (CVE-2020-1319, CVE-2020-1129)
- Windows Camera Codec Pack (CVE-2020-0997)
- Visual Studio (CVE-2020-16874)
All of the vulnerabilities listed above are serious issues, and especially the ones impacting Windows (due to the huge attack surface) and SharePoint and Dynamics 365 (as these systems are often installed on large enterprise networks).
Malware authors are known to follow Microsoft's monthly security updates, select the most useful/dangerous bugs, and patch-diff the updated components to find the exact bug Microsoft fixed -- so they can weaponize it for future attacks.
System administrators are advised to review the threat posed by each of the RCE vulnerabilities listed above, and then decide if this month's security updates need to be applied right away or delayed for additional testing.
Below is additional information about today's Microsoft Patch Tuesday and security updates released by other major tech companies:
- Microsoft's official Security Update Guide portal lists all security updates in a filterable table.
- ZDNet has published this file listing all this month's security advisories on one single page.
- Adobe's security updates are detailed here.
- SAP security updates are available here.
- Intel security updates are available here.
- VMWare security updates are available here.
- Chrome 85 security updates are detailed here.
- The Android Security Bulletin for September 2020 will also be out later today, delayed due to the Labor Day extended weekend.
| Tag | CVE ID | CVE Title |
|---|---|---|
| Active Directory | CVE-2020-0761 | Active Directory Remote Code Execution Vulnerability |
| Active Directory | CVE-2020-0856 | Active Directory Information Disclosure Vulnerability |
| Active Directory | CVE-2020-0718 | Active Directory Remote Code Execution Vulnerability |
| Active Directory | CVE-2020-0664 | Active Directory Information Disclosure Vulnerability |
| Active Directory Federation Services | CVE-2020-0837 | ADFS Spoofing Vulnerability |
| ASP.NET | CVE-2020-1045 | Microsoft ASP.NET Core Security Feature Bypass Vulnerability |
| Common Log File System Driver | CVE-2020-1115 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
| Internet Explorer | CVE-2020-1012 | WinINet API Elevation of Privilege Vulnerability |
| Internet Explorer | CVE-2020-16884 | Internet Explorer Browser Helper Object (BHO) Memory Corruption Vulnerability |
| Internet Explorer | CVE-2020-1506 | Windows Start-Up Application Elevation of Privilege Vulnerability |
| Microsoft Browsers | CVE-2020-0878 | Microsoft Browser Memory Corruption Vulnerability |
| Microsoft Dynamics | CVE-2020-16857 | Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability |
| Microsoft Dynamics | CVE-2020-16858 | Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability |
| Microsoft Dynamics | CVE-2020-16860 | Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability |
| Microsoft Dynamics | CVE-2020-16859 | Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability |
| Microsoft Dynamics | CVE-2020-16861 | Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability |
| Microsoft Dynamics | CVE-2020-16872 | Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability |
| Microsoft Dynamics | CVE-2020-16864 | Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability |
| Microsoft Dynamics | CVE-2020-16878 | Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability |
| Microsoft Dynamics | CVE-2020-16862 | Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability |
| Microsoft Dynamics | CVE-2020-16871 | Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability |
| Microsoft Exchange Server | CVE-2020-16875 | Microsoft Exchange Memory Corruption Vulnerability |
| Microsoft Graphics Component | CVE-2020-0921 | Microsoft Graphics Component Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2020-0998 | Windows Graphics Component Elevation of Privilege Vulnerability |
| Microsoft Graphics Component | CVE-2020-1091 | Windows Graphics Component Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2020-1152 | Windows Win32k Elevation of Privilege Vulnerability |
| Microsoft Graphics Component | CVE-2020-1097 | Windows Graphics Component Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2020-1083 | Microsoft Graphics Component Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2020-1053 | DirectX Elevation of Privilege Vulnerability |
| Microsoft Graphics Component | CVE-2020-1308 | DirectX Elevation of Privilege Vulnerability |
| Microsoft Graphics Component | CVE-2020-1245 | Win32k Elevation of Privilege Vulnerability |
| Microsoft Graphics Component | CVE-2020-1285 | GDI+ Remote Code Execution Vulnerability |
| Microsoft Graphics Component | CVE-2020-1256 | Windows GDI Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2020-1250 | Win32k Information Disclosure Vulnerability |
| Microsoft JET Database Engine | CVE-2020-1039 | Jet Database Engine Remote Code Execution Vulnerability |
| Microsoft JET Database Engine | CVE-2020-1074 | Jet Database Engine Remote Code Execution Vulnerability |
| Microsoft NTFS | CVE-2020-0838 | NTFS Elevation of Privilege Vulnerability |
| Microsoft Office | CVE-2020-1594 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2020-1335 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2020-16855 | Microsoft Office Information Disclosure Vulnerability |
| Microsoft Office | CVE-2020-1338 | Microsoft Word Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2020-1332 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2020-1224 | Microsoft Excel Information Disclosure Vulnerability |
| Microsoft Office | CVE-2020-1218 | Microsoft Word Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2020-1193 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft Office SharePoint | CVE-2020-1345 | Microsoft Office SharePoint XSS Vulnerability |
| Microsoft Office SharePoint | CVE-2020-1205 | Microsoft SharePoint Spoofing Vulnerability |
| Microsoft Office SharePoint | CVE-2020-1210 | Microsoft SharePoint Remote Code Execution Vulnerability |
| Microsoft Office SharePoint | CVE-2020-1514 | Microsoft Office SharePoint XSS Vulnerability |
| Microsoft Office SharePoint | CVE-2020-1595 | Microsoft SharePoint Remote Code Execution Vulnerability |
| Microsoft Office SharePoint | CVE-2020-1523 | Microsoft SharePoint Server Tampering Vulnerability |
| Microsoft Office SharePoint | CVE-2020-1440 | Microsoft SharePoint Server Tampering Vulnerability |
| Microsoft Office SharePoint | CVE-2020-1200 | Microsoft SharePoint Remote Code Execution Vulnerability |
| Microsoft Office SharePoint | CVE-2020-1482 | Microsoft Office SharePoint XSS Vulnerability |
| Microsoft Office SharePoint | CVE-2020-1198 | Microsoft Office SharePoint XSS Vulnerability |
| Microsoft Office SharePoint | CVE-2020-1227 | Microsoft Office SharePoint XSS Vulnerability |
| Microsoft Office SharePoint | CVE-2020-1576 | Microsoft SharePoint Remote Code Execution Vulnerability |
| Microsoft Office SharePoint | CVE-2020-1452 | Microsoft SharePoint Remote Code Execution Vulnerability |
| Microsoft Office SharePoint | CVE-2020-1575 | Microsoft Office SharePoint XSS Vulnerability |
| Microsoft Office SharePoint | CVE-2020-1453 | Microsoft SharePoint Remote Code Execution Vulnerability |
| Microsoft Office SharePoint | CVE-2020-1460 | Microsoft SharePoint Server Remote Code Execution Vulnerability |
| Microsoft OneDrive | CVE-2020-16853 | OneDrive for Windows Elevation of Privilege Vulnerability |
| Microsoft OneDrive | CVE-2020-16851 | OneDrive for Windows Elevation of Privilege Vulnerability |
| Microsoft OneDrive | CVE-2020-16852 | OneDrive for Windows Elevation of Privilege Vulnerability |
| Microsoft Scripting Engine | CVE-2020-1057 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2020-1180 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2020-1172 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Windows | CVE-2020-1596 | TLS Information Disclosure Vulnerability |
| Microsoft Windows | CVE-2020-1169 | Windows Runtime Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-1593 | Windows Media Audio Decoder Remote Code Execution Vulnerability |
| Microsoft Windows | CVE-2020-1159 | Windows Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-1598 | Windows UPnP Service Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-0790 | Microsoft splwow64 Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-0922 | Microsoft COM for Windows Remote Code Execution Vulnerability |
| Microsoft Windows | CVE-2020-0782 | Windows Cryptographic Catalog Services Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-0648 | Windows RSoP Service Application Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-0766 | Microsoft Store Runtime Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-1590 | Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-1376 | Windows Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-1471 | Windows CloudExperienceHost Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-16879 | Projected Filesystem Information Disclosure Vulnerability |
| Microsoft Windows | CVE-2020-1013 | Group Policy Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-1532 | Windows InstallService Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-1491 | Windows Function Discovery Service Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-1303 | Windows Runtime Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-1252 | Windows Remote Code Execution Vulnerability |
| Microsoft Windows | CVE-2020-1559 | Windows Storage Services Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-1507 | Microsoft COM for Windows Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-1508 | Windows Media Audio Decoder Remote Code Execution Vulnerability |
| Microsoft Windows | CVE-2020-0914 | Windows State Repository Service Information Disclosure Vulnerability |
| Microsoft Windows | CVE-2020-0886 | Windows Storage Services Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-0989 | Windows Mobile Device Management Diagnostics Information Disclosure Vulnerability |
| Microsoft Windows | CVE-2020-0875 | Microsoft splwow64 Information Disclosure Vulnerability |
| Microsoft Windows | CVE-2020-0912 | Windows Function Discovery SSDP Provider Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-1038 | Windows Routing Utilities Denial of Service |
| Microsoft Windows | CVE-2020-0908 | Windows Text Service Module Remote Code Execution Vulnerability |
| Microsoft Windows | CVE-2020-1052 | Windows Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-0911 | Windows Modules Installer Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-0805 | Projected Filesystem Security Feature Bypass Vulnerability |
| Microsoft Windows | CVE-2020-1119 | Windows Information Disclosure Vulnerability |
| Microsoft Windows | CVE-2020-1146 | Microsoft Store Runtime Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-0951 | Windows Defender Application Control Security Feature Bypass Vulnerability |
| Microsoft Windows | CVE-2020-1122 | Windows Language Pack Installer Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-1098 | Windows Shell Infrastructure Component Elevation of Privilege Vulnerability |
| Microsoft Windows Codecs Library | CVE-2020-1319 | Microsoft Windows Codecs Library Remote Code Execution Vulnerability |
| Microsoft Windows Codecs Library | CVE-2020-0997 | Windows Camera Codec Pack Remote Code Execution Vulnerability |
| Microsoft Windows Codecs Library | CVE-2020-1129 | Microsoft Windows Codecs Library Remote Code Execution Vulnerability |
| Microsoft Windows DNS | CVE-2020-0839 | Windows dnsrslvr.dll Elevation of Privilege Vulnerability |
| Microsoft Windows DNS | CVE-2020-1228 | Windows DNS Denial of Service Vulnerability |
| Microsoft Windows DNS | CVE-2020-0836 | Windows DNS Denial of Service Vulnerability |
| Open Source Software | CVE-2020-16873 | Xamarin.Forms Spoofing Vulnerability |
| SQL Server | CVE-2020-1044 | SQL Server Reporting Services Security Feature Bypass Vulnerability |
| Visual Studio | CVE-2020-16874 | Visual Studio Remote Code Execution Vulnerability |
| Visual Studio | CVE-2020-16856 | Visual Studio Remote Code Execution Vulnerability |
| Visual Studio | CVE-2020-16881 | Visual Studio JSON Remote Code Execution Vulnerability |
| Windows DHCP Server | CVE-2020-1031 | Windows DHCP Server Information Disclosure Vulnerability |
| Windows Diagnostic Hub | CVE-2020-1130 | Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability |
| Windows Diagnostic Hub | CVE-2020-1133 | Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability |
| Windows Hyper-V | CVE-2020-0904 | Windows Hyper-V Denial of Service Vulnerability |
| Windows Hyper-V | CVE-2020-0890 | Windows Hyper-V Denial of Service Vulnerability |
| Windows Kernel | CVE-2020-0941 | Win32k Information Disclosure Vulnerability |
| Windows Kernel | CVE-2020-0928 | Windows Kernel Information Disclosure Vulnerability |
| Windows Kernel | CVE-2020-16854 | Windows Kernel Information Disclosure Vulnerability |
| Windows Kernel | CVE-2020-1034 | Windows Kernel Elevation of Privilege Vulnerability |
| Windows Kernel | CVE-2020-1033 | Windows Kernel Information Disclosure Vulnerability |
| Windows Kernel | CVE-2020-1589 | Windows Kernel Information Disclosure Vulnerability |
| Windows Kernel | CVE-2020-1592 | Windows Kernel Information Disclosure Vulnerability |
| Windows Print Spooler Components | CVE-2020-1030 | Windows Print Spooler Elevation of Privilege Vulnerability |
| Windows Shell | CVE-2020-0870 | Shell infrastructure component Elevation of Privilege Vulnerability |