The most worrying of the disclosed bugs would let an attacker take over Microsoft Exchange by just sending an email.
Microsoft has released patches for 129 security bugs in its Sept. Patch Tues. update. These include 23 critical flaws, 105 that are important in severity, & one moderate bug. Fortunately, none are publicly known or under active exploitation, Microsoft commented.
The worst issue is CVE-2020-16875, says researchers.
This is a memory-corruption issue in Microsoft Exchange that lets remote code-execution (RCE) just by sending an email to a target.
Running arbitrary code could allow attackers the access they need to create new accounts, access, modify or remove data, & install programs.
Zero-Day Initiative (ZDI)
“This patch corrects a vulnerability that allows an attacker to execute code at SYSTEM by sending a specially crafted email to an affected Exchange Server,” observed Dustin Childs, Researcher at Trend Micro’s Zero-Day Initiative (ZDI), in an analysis Tues.
“That is about the worst-case scenario for Exchange servers. We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, & that requires authentication. We will likely see this one in the wild soon. This should be your top priority.”
Justin Knapp, Product Marketing Manager at Automox, added that while this vulnerability only affects Exchange Server versions 2016 and 2019, “the broad use of Microsoft Exchange across business users & a high CVSS score of 9.1 indicates that this patch should be prioritised high on the list.”
Another critical RCE vulnerability that should be prioritised for patching is CVE-2020-1210, which exists in SharePoint because of a failure to check an application package’s source mark-up. It rates 9.9 out of 10 on the CVSS severity scale.
“To exploit this flaw, an attacker would need to be able to upload a SharePoint application package to a vulnerable SharePoint site,” Satnam Narang, Staff Research Engineer at Tenable, said via email.
“This vulnerability is reminiscent of a similar SharePoint remote code-execution flaw, CVE-2019-0604, that has been exploited in the wild by threat actors since at least April 2019.”
There are a total of 7 RCE bugs being fixed in SharePoint. Only 1, CVE-2020-1460, needs authentication.
Knapp flagged another critical RCE vulnerability (rated 8.4 on the CvSS scale) in the Windows Graphic Device Interface (CVE-2020-1285). It arises because of the way the GDI handles objects in memory, providing both web-based & file-sharing attack scenarios that could introduce multiple vectors for an attacker to gain control of a system, he suggested.
“In the web-based attack scenario, an attacker would need to craft a website designed to exploit the vulnerability and then convince users to view the website,” Knapp noted.
“Since there is no way to force users to view the attacker-controlled content, the attacker would need to convince users to take-action, typically by getting them to open an email attachment or click a link. In the file-sharing scenario, the attacker would need to convince users to open a specially crafted file designed to exploit the vulnerability.
Given the extensive list of Windows & Windows Server versions impacted & the lack of a workaround or mitigation, this is a vulnerability that should be patched immediately.”
Sept’s patches also reveals several other RCE bugs, including 1 in the Microsoft Windows Codecs Library (CVE-2020-1129, with an 8.8 CvSS rating), which is used by multiple applications &, can therefore affect a wide range of programs. An attacker could execute code on a victim machine by convincing someone to view a weaponised video clip.
“This could allow code execution if an affected system views a specially crafted image,” Childs explained. “The specific flaw exists within the parsing of HEVC streams. A crafted HEVC stream in a video file can trigger an overflow of a fixed-length stack-based buffer.”
Another critical RCE problem exists in the Microsoft Component Object Model (COM) for Windows (CVE-2020-0922), which is a platform-independent system for creating binary software components that can interact with each other. Like the previous bug, there are likely multiple applications that could be impacted by the flaw if they use COM. It rates 8.8 on the CvSS scale.
Meanwhile, CVE-2020-16874 is a critical RCE vulnerability within Visual Studio, rating 7.8. An attacker could successfully exploit this vulnerability by convincing a user to open a specially crafted file using an affected version of the software.
“If the compromised user is logged in with admin rights, the attacker could take control of the affected system and gain the ability to install programs; view, change, or delete data; or create new accounts with full user rights,” Automox’ Knapp said. “The vulnerability exists in multiple versions of Visual Studio dating back to 2012.”
Among the other bugs, Childs also mentioned CVE-2020-0951, an important-rated security feature bypass bug in Windows Defender.
“An attacker with administrative privileges on a local machine could connect to a PowerShell session and send commands to execute arbitrary code,”
Childs said. “This behaviour should be blocked by WDAC, which does make this an interesting bypass. However, what is really interesting is that this is getting patched at all. Vulnerabilities that require administrative access to exploit typically do not get patches. I’m curious about what makes this one different.”
Sept’s Patch Tuesday release continues a trend of high-volume security updates.
The patches are for a wide range of products, including Microsoft Windows, Edge (both Edge HTML-based & Chromium-based), Chakra Core, Internet Explorer (IE), SQL Server, Office & Office Services & Web Apps, Microsoft Dynamics, Visual Studio, Exchange Server, ASP.NET, OneDrive & Azure DevOps.
“That brings us to 7 straight months of 110+ CVEs,” said Childs. “It also brings the yearly total close to 1,000. It certainly seems like this volume is the new normal for Microsoft patches.”
Organisations are finding it hard to keep up, Knapp noted.
“As many organisations continue to struggle to support the ongoing distribution of remote workers, Microsoft continues to pile on the updates,” he commented.
“Finding an efficient method for rolling out these patches has become even more imperative as companies begin to abandon the idea of a short-term fix & shift operations to embrace remote work as part of a lasting, long-term progression of how organisations operate moving forward.
Lenient Security Measures
There are negative outcomes of the lenient security measures put in place to quickly adapt to a decentralised workforce, & it’s become more important than ever to establish patching policies that can securely support remote endpoints for the foreseeable future.”
Adobe also fixed 5 critical cross-site scripting (XSS) flaws in Experience Manager as part of its regularly scheduled patches on Tues. It also addressed flaws in Adobe FrameMaker, its document-processor designed for writing & editing large or complex documents, & InDesign, its desktop publishing & typesetting software application.