Microsoft’s Patch Tuesday updates for September 2020 fix 129 vulnerabilities, but the company says none of them has been exploited in attacks or made public before patches were released.
The tech giant has assigned a critical severity rating to 23 of the vulnerabilities affecting Windows, web browsers, Dynamics 365, SharePoint, Exchange and Visual Studio. Each of the critical flaws can be exploited for remote code execution.
Trend Micro’s Zero Day Initiative (ZDI) has pointed out that with this month’s patches Microsoft addressed nearly 1,000 CVEs so far this year. This is the seventh month in a row with over 110 patched vulnerabilities.
Several industry professionals have shared some thoughts on this month’s patches and what they believe to be the most interesting vulnerabilities.
Richard Tsang, senior software engineer, Rapid7:
“Microsoft's 129-Vulnerability September 2020 Update Tuesday continues the trend of a predictably high number of vulnerabilities being patched. Following standard procedures of scheduling patches for Windows Operating Systems would close the door against 60%+ vulnerabilities. However, there are notable server product-based vulnerabilities this month that may require a bit more forethought when scheduling a patching window.
The first vulnerability to note comes from Microsoft Exchange Server. CVE-2020-16875 is a CVSS 9.1-scoring remote code execution vulnerability. In this scenario, a specially crafted email sent to a vulnerable Exchange server could allow arbitrary code to run in the context of the System user due to improper handling of objects in memory. Noted as affecting supported versions of Exchange Server 2016/2019 Cumulative Update levels, this is something to prioritize patching early.
Then SharePoint s ..
Support the originator by clicking the read the rest link below.
