Microsoft has released the September 2020 Security updates that includes patches for 129 vulnerabilities, 24 of them rated Critical. Adobe also released updates for Experience Manager, Framemaker and InDesign.
In all, the Microsoft security updates address vulnerabilities in the following products:
- Azure DevOps
- Internet Explorer
- Microsoft ChakraCore
- Microsoft Dynamics
- Microsoft Edge (Chromium-based)
- Microsoft Edge (EdgeHTML-based)
- Microsoft Exchange Server
- Microsoft JET Database Engine
- Microsoft Office and Microsoft Office Services and Web Apps
- Microsoft OneDrive
- Microsoft Windows
- SQL Server
- SQL Server
- Visual Studio.
Microsoft has provided patches for each of the vulnerabilities and also summarized them in the September 2020 Security Updates Release Notes.
Readers can also check out more vulnerability and patch details in Microsoft’s Security Update Guide.
All of the Critical vulnerabilities are remote code execution (RCE) vulnerabilities, 24 in total.
Microsoft patched 7 Critical SharePoint RCE bugs – CVE-2020-1200, CVE-2020-1210, CVE-2020-1452, CVE-2020-1453, CVE-2020-1460, CVE-2020-1576 and CVE-2020-1595.
“A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account,” Microsoft stated in several of the SharePoint advisories.
In addition, Microsoft patched Critical RCE vulnerabilities in the following products:
- ChakraCore: CVE-2020-0878, CVE-2020-1057 and CVE-2020-1172.
- Dynamics 365 for Finance and Operations: CVE-2020-1182 and CVE-2020-16857
- Internet Explorer 11: CVE-2020-0878
- Microsoft Business Productivity Servers 2010 Service Pack 2: CVE-2020-1210
- Microsoft Dynamics 365 (on-premises) version 9.0: CVE-2020-16862
- Microsoft Edge: CVE-2020-0878, CVE-2020-1057 and CVE-2020-1172
- Microsoft Exchange Server (multiple versions): CVE-2020-16875
- Microsoft Visual Studio (multiple versions): CVE-2020-16874
- Windows 10 (multiple versions): CVE-2020-0908, CVE-2020-0922, CVE-2020-0997, CVE-2020-1129, CVE-2020-1252, CVE-2020-1285, CVE-2020-1319, CVE-2020-1508 and CVE-2020-1593.
According to Microsoft, none of advisories had known exploits as of the original advisory posting dates.
Finally, the remaining patches address vulnerabilities rated Important, to include: Denial of Service (5), Elevation of Privilege (41), Information Disclosure (23), RCE (15), Security Feature Bypass (3), Spoofing (16) and Tampering (2).
Adobe also released updates for InDesign, Framemaker and Experience Manager.
The security update for Experience Manager APSB20-52 fixes 5 Critical Abitrary Code Execution vulnerabilities CVE-2020-9727, CVE-2020-9728, CVE-2020-9729, CVE-2020-9730 and CVE-2020-9731.
The Framemaker update APSB20-54 addresses 2 Critical Abitrary Code Execution bugs CVE-2020-9725 and CVE-2020-9726.
Finally, the Experience Manager patch APSB20-56 addresses multiple Information Disclosure, Cross Site Scripting, Privilege Execution and HTML injection vulnerabilities.
- Microsoft August 2020 Security and Adobe Updates
- Microsoft July 2020 Security Updates and patch for ‘Wormable’ RCE Vulnerability in Window DNS Server
- Microsoft takes down malicious domains used in COVID-19 related phishing campaign
- BIND and Microsoft DNS security updates