Microsoft September 2020 Patch Tuesday security updates address 129 vulnerabilities, including twenty critical remote code execution issues.
Microsoft September 2020 Patch Tuesday security updates address 129 vulnerabilities in Microsoft products across 15 products (Microsoft Windows, Edge (EdgeHTML-based and Chromium-based), ChakraCore, Internet Explorer (IE), SQL Server, Office and Office Services and Web Apps, Microsoft Dynamics, Visual Studio, Exchange Server, ASP.NET, OneDrive, and Azure DevOps).
23 vulnerabilities are classified as Critical, and 105 are classified as Important, and one 1 as moderate, none of the addressed issues is a zero-day flaw.
Some of the most severe flaws are:
- CVE-2020-0922 – Microsoft COM for Windows Remote Code Execution Vulnerability, which can be exploited by tricking the victims into visiting a website hosting a malicious JavaScript.
- CVE-2020-16875 – Microsoft Exchange Memory Corruption Vulnerability, which can be exploited by a remote attacker to execute arbitrary code by sending a specially crafted email to an Exchange server.
- CVE-2020-0908 – Windows Text Service Module Remote Code Execution Vulnerability, which can be exploited by tricking a user into visiting a site that contains malicious “user-provided content or advertisements.”
- CVE-2020-1129 – Microsoft Windows Codecs Library Remote Code Execution Vulnerability, which can be exploited to perform code execution if an affected system views a specially crafted image. Since this vulnerability resides in the codecs library, multiple applications could be affected. The specific flaw affects the parsing process of HEVC streams. A crafted HEVC stream in a video file can trigger an overflow of a fixed-length stack-based buffer.
None of the vulnerabilities addressed by Microsoft under active attack at the time of release.
To read the original article:
https://securityaffairs.co/wordpress/108071/security/microsoft-sep-2020-patch-tuesday.html