This month’s patch Tuesday includes patches for 15 Microsoft products, including 23 critical CVEs.
Microsoft has addressed 129 security issues as part of its September 2020 Patch Tuesday update.
The company patched 23 Common Vulnerabilities and Exposures (CVEs) – security flaws – marked as ‘critical’ this month, with 105 marked as ‘important’ and one as ‘moderate’, in terms of their severity.
September’s security update covers 15 Microsoft products and services in total, including Microsoft Edge (legacy and Chromium), Internet Explorer, SQL Server, Microsoft Office and Microsoft Office Services and Web Apps, Microsoft Dynamics, Visual Studio, Microsoft Exchange Server, Microsoft OneDrive and Azure DevOps.
Many of this month’s vulnerabilities are privilege-specific, meaning the vulnerabilities pose greater threats to admins with full system access than to users without administrative rights.
Amongst the most high-severity issues resolved by Microsoft related to the Windows operating system, SharePoint, Microsoft Edge and Microsoft Dynamics 365, though none of the bugs are believed to have been exploited or publicly known.
SEE: Top Windows 10 run commands (free PDF) (TechRepublic)
Microsoft Exchange received a patch for CVE-2020-16875, a bug that an attacker could exploit by sending a malicious email to the affected Exchange Server.
Windows Text Service Module received a patch for CVE-2020-0908, a vulnerability though which an attacker could lure users to a malicious website via the new Chromium-based Microsoft Edge. An attacker who successfully exploited the vulnerability could then gain power over a victim system.
SEE: How Apple users can make the most of Microsoft 365 at work (TechRepublic Premium)
Another RCE addressed by Microsoft is CVE-2020-0922, an vulnerability that exists in the way Microsoft COM for Windows handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system.
Commenting, Gill Langston, head of security at SolarWinds MSP, said: “There are no emergency vulnerabilities this month at the time of this writing, so the guidance is to ensure you’re addressing the workstation devices on their normal patch schedule (to address operating system and browser vulnerabilities), and servers on their next available maintenance window.
“As is best practice, it’s a good idea to audit the rights you allow your users to have on workstation systems. While it’s more convenient to simply make them administrators, limiting their rights on workstations can reduce the risk when they inevitably click on that link or visit a malicious webpage.”