Microsoft’s Patch Tuesday Packed with Critical RCE Bugs

The most concerning of the disclosed bugs would allow an attacker to take over Microsoft Exchange just by sending an email.

Microsoft has released patches for 129 security bugs in its September Patch Tuesday update. These include 23 critical flaws, 105 that are important in severity and one moderate bug. Fortunately, none are publicly known or under active exploitation, Microsoft said.

The most severe issue in the bunch is CVE-2020-16875, according to researchers. This is a memory-corruption problem in Microsoft Exchange that allows remote code-execution (RCE) just by sending an email to a target. Running arbitrary code could grant attackers the access they need to create new accounts, access, modify or remove data, and install programs.

Threatpost Webinar Promo Bug Bounty

Click to Register

“This patch corrects a vulnerability that allows an attacker to execute code at SYSTEM by sending a specially crafted email to an affected Exchange Server,” wrote Dustin Childs, researcher at Trend Micro’s Zero-Day Initiative (ZDI), in an analysis on Tuesday. “That is about the worst-case scenario for Exchange servers. We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, and that requires authentication. We’ll likely see this one in the wild soon. This should be your top priority.”

Justin Knapp, product marketing manager at Automox, added that while this vulnerability only affects Exchange Server versions 2016 and 2019, “the broad use of Microsoft Exchange across business users and a high CVSS score of 9.1 indicates that this patch should be prioritized high on the list.”

Another critical RCE vulnerability that should be prioritized for patching is CVE-2020-1210, which exists in SharePoint due to a failure to check an application package’s source markup. It rates 9.9 out of 10 on the CVSS severity scale.

“To exploit this flaw, an attacker would need to be able to upload a SharePoint application package to a vulnerable SharePoint site,” Satnam Narang, staff research engineer at Tenable, said via email. “This vulnerability is reminiscent of a similar SharePoint remote code-execution flaw, CVE-2019-0604, that has been exploited in the wild by threat actors since at least April 2019.”

There are a total of seven RCE bugs being fixed in SharePoint. Only one, CVE-2020-1460, requires authentication.

Knapp flagged another critical RCE vulnerability (rated 8.4 on the CvSS scale) in the Windows Graphic Device Interface (CVE-2020-1285). It arises because of the way the GDI handles objects in memory, providing both web-based and file-sharing attack scenarios that could introduce multiple vectors for an attacker to gain control of a system, he said.

“In the web-based attack scenario, an attacker would need to craft a website designed to exploit the vulnerability and then convince users to view the website,” Knapp noted. “Since there’s no way to force users to view the attacker-controlled content, the attacker would need to convince users to take action, typically by getting them to open an email attachment or click a link. In the file-sharing scenario, the attacker would need to convince users to open a specially crafted file designed to exploit the vulnerability. Given the extensive list of Windows and Windows Server versions impacted and the lack of a workaround or mitigation, this is a vulnerability that should be patched immediately.”

September’s slew of patches also features several other RCE bugs, including one in the Microsoft Windows Codecs Library (CVE-2020-1129, with an 8.8 CvSS rating), which is used by multiple applications and can therefore affect a wide range of programs. An attacker could execute code on a victim machine by convincing someone to view a weaponized video clip.

“[This] could allow code execution if an affected system views a specially crafted image,” Childs explained. “The specific flaw exists within the parsing of HEVC streams. A crafted HEVC stream in a video file can trigger an overflow of a fixed-length stack-based buffer.”

Another critical RCE problem exists in the Microsoft Component Object Model (COM) for Windows (CVE-2020-0922), which is a platform-independent system for creating binary software components that can interact with each other. Like the previous bug, there are likely multiple applications that could be impacted by the flaw if they use COM. It rates 8.8 on the CvSS scale.

“This patch corrects a vulnerability that would allow an attacker to execute code on an affected system if they can convince a user to open a specially crafted file or lure the target to a website hosting malicious JavaScript,” Childs explained.

Meanwhile, CVE-2020-16874 is a critical RCE vulnerability within Visual Studio, rating 7.8. An attacker could successfully exploit this vulnerability by convincing a user to open a specially crafted file using an affected version of the software.

“If the compromised user is logged in with admin rights, the attacker could take control of the affected system and gain the ability to install programs; view, change, or delete data; or create new accounts with full user rights,” Automox’ Knapp said. “The vulnerability exists in multiple versions of Visual Studio dating back to 2012.”

Among the other bugs of note, Childs also highlighted CVE-2020-0951, an important-rated security feature bypass bug in Windows Defender.

“An attacker with administrative privileges on a local machine could connect to a PowerShell session and send commands to execute arbitrary code,” Childs said. “This behavior should be blocked by WDAC, which does make this an interesting bypass. However, what’s really interesting is that this is getting patched at all. Vulnerabilities that require administrative access to exploit typically do not get patches. I’m curious about what makes this one different.”

September’s Patch Tuesday release continues a trend of high-volume security updates. The patches are for a wide range of products, including Microsoft Windows, Edge (both EdgeHTML-based and Chromium-based), ChakraCore, Internet Explorer (IE), SQL Server, Office and Office Services and Web Apps, Microsoft Dynamics, Visual Studio, Exchange Server, ASP.NET, OneDrive and Azure DevOps.

“That brings us to seven straight months of 110+ CVEs,” said Childs. “It also brings the yearly total close to 1,000. It certainly seems like this volume is the new normal for Microsoft patches.”

Organizations are struggling to keep up, Knapp noted.

“As many organizations continue to struggle to support the ongoing distribution of remote workers, Microsoft continues to pile on the updates,” he said. “Finding an efficient method for rolling out these patches has become even more imperative as companies begin to abandon the idea of a short-term fix and shift operations to embrace remote work as part of a lasting, long-term progression of how organizations operate moving forward….We’re beginning to realize the negative outcomes of the lenient security measures put in place to quickly adapt to a decentralized workforce and it’s become more important than ever to establish patching policies that can securely support remote endpoints for the foreseeable future.”

Meanwhile, Adobe fixed five critical cross-site scripting (XSS) flaws in Experience Manager as part of its regularly scheduled patches on Tuesday. It also addressed flaws in Adobe Framemaker, its document-processor designed for writing and editing large or complex documents; and InDesign, its desktop publishing and typesetting software application.

On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.

Suggested articles