The September 2020 patch Tuesday contain fixes for 23 Critical vulnerabilities in Microsoft products and 129 fixes in total – including a Microsoft Exchange vulnerability that can allow remote code execution simply by sending a specially crafted email to the server.
A large patch bundle is a double edged sword – it’s reassuring that the vulnerabilities are being discovered and fixed but the sheer number of patches can be a nightmare for system administrators to test, schedule and install.
Full details of the patches released this month are detailed on the Microsoft release notes.
Interesting critical patches that security managers may want to see prioritised include:
- CVE-2020-16875 – Microsoft Exchange Remote Code Execution Vulnerability is related to how Exchange handles cmdlet arguments. It can allow a remote attacker to perform remote code execution in the context of the SYSTEM user by simply sending a specially crafted email to an Exchange server (Exploitation of the vulnerability requires an authenticated user in a certain Exchange role to be compromised).
- CVE-2020-0908 – Windows Text Service Module Remote Code Execution Vulnerability can be exploit by tricking a user to visiting a malicious website or a site that contains malicious “user-provided content or advertisements.”