Microsoft addresses 129 security vulnerabilities in its September 2020 Patch Tuesday update
Twenty-three are rated as 'Critical', many affect SharePoint
Microsoft has released its September 2020 Patch Tuesday update, addressing a total of 129 security vulnerabilities across a suite of its products/platforms.
Of 129 vulnerabilities fixed this month, 23 are rated as 'Critical', 105 while are ' Important ' in terms of severity and one is a 'Moderate' bug.
None of the bugs fixed are publicly known or under active exploitation, the company said.
According to security experts, the most critical issue among all bugs fixed this month is the memory corruption flaw in Microsoft Exchange Server. Indexed as CVE-2020-16875, this bug could enable a remote attacker to perform remote code execution by sending a specially crafted email to a vulnerable system. After compromising the system, attackers could run arbitrary code and get access levels needed to create new accounts, modify or delete data and install malicious programmes.
The vulnerability only affects Exchange Server versions 2016 and 2019, according to the company.
Many critical and important bugs fixed by Microsoft affect various editions of SharePoint software (Server, Enterprise, and Foundation). One of them, indexed as CVE-2020-1210, is a remote code execution (RCE) bug arising due to a failure to check an application package ' s source markup. An attacker could exploit the flaw after uploading a SharePoint application package to a vulnerable SharePoint site.
CVE-2020-0922 is a critical RCE vulnerability impacting Microsoft Common Object Model (COM). An attacker can exploit this vulnerability by tricking a user into visiting a site with malicious JavaScript.
Another interesting patch released by the software giant is that for CVE-2020-0951. This security feature bypass vulnerability impacts Windows Defender Application Control (WDAC); patches are available for Windows 10 and Windows Server 2016 and above.
CVE-2020-0908 is a Windows Text Service Module RCE flaw that attackers can exploit by luring a user into visiting a site containing malicious "user-provided content or advertisements."
Other Microsoft products that have received patches for security vulnerability in September include Microsoft Dynamics 365, Windows Media Audio Decoder, Windows Defender, Microsoft Edge (both Chromium-based and EdgeHTML-based), Internet Explorer, Visual Studio, ChakraCore, SQL Server, ASP.NET, Azure DevOps, Office and Office Services and Web Apps.