LackyVis - stock.adobe.com

September’s Patch Tuesday heavy on RCE vulnerabilities

Microsoft’s September update contains patches for 129 common vulnerabilities and exposures, including a high number of remote code execution issues

Continuing a run of bumper Patch Tuesday updates stretching back to the beginning of 2020, Microsoft has issued fixes for 129 common vulnerabilities and exposures (CVEs) in its September release, 23 of them rated as critical and including a higher than usual number of remote code execution (RCE) vulnerabilities, but none of them yet publicly disclosed or exploited in the wild.

The latest round of patches also covers bugs in ChakraCore, SQL Server, JET Database Engine, Office and Office Services and Web Apps, Dynamics, Visual Studio, Exchange Server, ASP.NET, OneDrive and Azure DevOps.

Gill Langston, head security nerd at SolarWinds MSP, said: “While none of the critical vulnerabilities appear to be under active attack at the time of review, there is a higher count of vulnerabilities Microsoft has chosen to label as critical – at least in comparison to the past few months.

“Additionally, most vulnerabilities are marked as ‘important’, with only a handful listed as ‘low’ or ‘moderate’. For September, Microsoft has listed all the critical vulnerabilities as exploitation less likely,” said Langston.

“There are no emergency vulnerabilities this month, at the time of this writing, so the guidance is to ensure you’re addressing the workstation devices on their normal patch schedule to address operating system and browser vulnerabilities, and servers on their next available maintenance window,” he added.

“Make sure your Active Directory servers are highest priority on the server front. If you’re running on-premise Exchange or SharePoint, they should be next on your list.”

Justin Knapp, Automox product marketing manager, added: “As many organisations continue to struggle to support the ongoing distribution of remote workers, Microsoft continues to pile on the updates this month.

“Finding an efficient method for rolling out these patches has become even more imperative as companies begin to abandon the idea of a short-term fix and shift operations to embrace remote work as part of a lasting, long-term progression of how organisations operate moving forward.

“While there are fortunately no zero-day surprises to worry about this month, failure to resolve these vulnerabilities in a timely fashion creates unnecessary exposure and risk at a time when attackers are looking to take advantage of a growing attack surface and exploit the additional exposure that remote workers introduce”
Justin Knapp, Automox

“While there are fortunately no zero-day surprises to worry about this month, failure to resolve these vulnerabilities in a timely fashion creates unnecessary exposure and risk at a time when attackers are looking to take advantage of a growing attack surface and exploit the additional exposure that remote workers introduce,” he said.

“We’re beginning to realise the negative outcomes of the lenient security measures put in place to quickly adapt to a decentralised workforce and it’s become more important than ever to establish patching policies that can securely support remote endpoints for the foreseeable future.”

Observers noted the particularly high number of RCE vulnerabilities this month, highlighting several more troubling bugs. Such vulnerabilities can often be quickly and easily exploited to let a malicious actor access your organisation’s network and data, exfiltrate it, or run malicious code.

These include CVE-2020-16875, a remote code execution vulnerability that exists in Microsoft Exchange Server due to improper validation of cmdlet arguments. If successfully exploited, an attacker could run arbitrary code as the system user, although exploitation requires the compromise of an authenticated user in a certain Exchange role.

Also of note are CVE-2020-1285, a GDI+ RCE vulnerability that has been identified in the way the Windows Graphic Design Interface handles objects in memory, opening web-based and file-sharing attack scenarios; CVE-2020-16874, a Visual Studio RCE that could be exploited if a user with admin rights can be persuaded to open a malicious file using an affected version of Visual Studio; and CVEs 2020-1508 and -1593, a pair of vulnerabilities in Windows Media Audio Encoder that target how it handles objects.

No fewer than seven of September’s RCEs are to be found in Microsoft SharePoint. These are CVEs 2020-1452, -1453, -1576, -1200, -1210, -1595 and -1460. The first six are the result of deserialising untrusted data input, explained Automox senior product marketing manager Nick Colyer, which allow arbitrary code execution in the SharePoint application pool and server farm account. CVE-2020-1460 is the result of improperly identified and filtered ASP.Net web controls.

“Exploitation requirements are a bit more involved as a malicious threat actor must be authenticated and additionally have crafted a special SharePoint page in order to perform actions in the context of the SharePoint application pool process,” noted Colyer.

Read more about Microsoft’s Patch Tuesday

Read more on Application security and coding requirements