September 2020 Patch Tuesday

Welcome to our Patch Tuesday recap for September 8, 2020. This month’s patches fix 129 vulnerabilities, 20 of which have been designated ‘Critical’ by Microsoft. None of the vulnerabilities have been publicly disclosed prior to patching or exploited in the wild.

Windows

Microsoft’s OS was patched for a particularly dangerous vulnerability that allowed for an attacker to execute arbitrary code with system privileges. The attacker would have to convince the user to run a maliciously crafted application or execute code some other way before using this exploit to elevate privileges. Microsoft has rated this vulnerability as “Critical” with “Exploitation Less Likely” currently.

Microsoft Dynamics 365

Microsoft Dynamics 365 servers were patched for a vulnerability where the server failed to sanitize web requests to an affected Dynamics server. The SQL service account would run the commands in the web request from an authenticated user, within its own context. Microsoft also patched a vulnerability where an authenticated attacker could send a maliciously crafted file to the Dynamics server, and, when processed, would result in script execution. Microsoft rates both vulnerabilities as “Critical.”

Exchange Server

Exchange servers were vulnerable to a particularly notable exploit in which a specially crafted email could cause the server to execute arbitrary code with system-level privileges. This exploit requires no user interaction and is a top priority for patching due to its severity. Microsoft rates this vulnerability as “Critical” and “Less Likely for Exploit” currently.

Office

Office received its usual attention for the month. Excel and Word both had multiple remote code execution vulnerabilities patched this month. All the vulnerabilities would have executed code within the context of the current user, reminding us to exercise the principle of least privilege.