November 27, 2022

Paull Ank Ford

Business Think different

Patch Tuesday September Brings 129 MSFT Bugs, 23 Critical

FavoriteLoadingIncorporate to favorites

“… That doesn’t quite make it wormable, but it is about the worst-case scenario for Exchange servers”

Microsoft’s “Patch Tuesday” is the moment again (potentially by now unsurprisingly) a whopper, with 129 vulnerabilities to resolve 23 of them rated essential and a chunky one zero five mentioned as important — up from August’s tally of one hundred twenty CVEs, with seventeen thought of essential.

If there’s a silver lining to this cloud it is that — compared with previous thirty day period — none are mentioned as less than active attack. Nevertheless the release provides Microsoft’s tally of bugs needing fixing this year to 991, and contains patches for some severe vulnerabilities that no lack of nicely-resourced undesirable actors will be searching to quickly reverse engineer.

In the real world, of class, doing work out what to patch is a perennial dice-roll (for all those not in the sunlit uplands where rebooting systems at the simply click of It’s fingers is doable for most it is not) and as 1 contributor not long ago observed in a lively debate about risk prioritisation on the OSS-safety mailing record, “the frameworks which do exist, this kind of as CVSS, are fully arbitrary and not able to consider into account details about the variety of stop person deployments”. (Other people may disagree. Truly feel cost-free to weigh in).

Regardless, there’s heaps to patch! Here are some that stand out.

CVE-2020-16875 – Microsoft Exchange Memory Corruption Vulnerability. CVSS, nine.1.

This bug permits an attacker to execute code at Process by sending a specifically crafted e-mail to an impacted Exchange Server (2016, 2019).

As Craze Micro’s ZDI notes: “That doesn’t quite make it wormable, but it is about the worst-case scenario for Exchange servers.

“We have found the earlier patched Exchange bug CVE-2020-0688 utilized in the wild, and that calls for authentication. We’ll likely see this 1 in the wild shortly.”

Credit rating for the obtain goes to the prolific Steven Seeley. 

CVE-2020-1452 // -1453 // -1576 // -1200 // -1210 // -1595 – Microsoft SharePoint Remote Code Execution Vulnerability

CVE-2020-1452, 1453, 1576, 1200, 1210, and 1595 are all essential remote code execution vulnerabilities identified in Microsoft SharePoint.

As patch management professional Automox notes: “The result of deserializing untrusted facts input, the vulnerability permits arbitrary code execution in the SharePoint software pool and server farm account. Variations of the attack this kind of as CVE-2020-1595 (API distinct), reflect the significance of patching this vulnerability to lessen the danger surface.”

Credit rating to Oleksandr Mirosh

CVE-2020-0922 — Remote Code Execution Vulnerability in Microsoft COM for Home windows. CVSS eight.eight

This vulnerability impacts Home windows 7 – ten and Home windows Server 2008 by means of 2019. The vulnerability exists in the way Microsoft COM handles objects in memory and, when exploited, would allow for an attacker to execute arbitrary scripts on a victim equipment. As safety intelligence company Recorded Future’s Allan Liska notes: “To exploit a vulnerability an attacker would will need to get a victim to execute a destructive JavaScript on the victim’s equipment. If this vulnerability is at some point weaponized, it would be in line with latest traits of attackers applying so-named fileless malware in their attacks by sending phishing e-mail with destructive scripts as attachments.”

Credit rating, Yuki Chen, 360 BugCloud

Intel meanwhile patched a essential (CVSS nine.eight) bug in its Lively Administration Engineering (AMT) which lets unauthenticated buyers escalate privilege “via network access”. The bug, which has shades of colossal “backdoor” CVE-2017-5689 to it, was described internally and is becoming patched via Intel-SA-00404. 

Microsoft’s Patch Tuesday September direction commences in this article.