Microsoft September 2020 patch tuesday

Microsoft’s September edition of its regular Patch Tuesday landed yesterday, offering relief from 23 critical security vulnerabilities, including flaws in Active Directory when integrated with DNS (ADIDNS).

The vulnerability (CVE-2020-0761) in ADIDNS creates a remote code execution (RCE) risk for unpatched systems. “An authenticated attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account,” Microsoft explains.

The flaw was uncovered by security researcher Dirk-jan Mollema at FoxIT who warned the vulnerability, which arises from memory corruption issues, meant an authenticated user could gain system privileges on a domain controller.

Updates to Windows Server 2008 and above address the vulnerability by resolving how ADIDNS handles objects in memory.

Shared (view)point?

Other critical vulnerabilities addressed in the autumnal patch batch include flaws in Microsoft SharePoint collaborative platform (CVE-2020-1210) and Microsoft Exchange (CVE-2020-16875), both of which pose an RCE risk.

A researcher has taken issue with Redmond’s classification of the CVE-2020-1523 and CVE-2020-1440 vulnerabilities in Microsoft SharePoint, which it describes as only posing a “server tampering” risk to users of the collaboration platform.

Each is better characterized as “critical” rather than “important”, according to Mexico-based security researcher @steventseeley, who warned that both are actually powerful server-side request forgery (SSRF) vulnerabilities.

The same researcher said he has already crafted an exploit for the CVE-2020-16875 vulnerability in Microsoft Exchange, which Microsoft’s security team now admits poses an RCE risk for unpatched systems. Redmond’s security triage team initially said the flaw posed only a lesser memory corruption risk.

Microsoft has addressed a total of 129 Common Vulnerabilities and Exposers (CVEs) as part of this month’s update.

A patching matrix put together by the SANS Institute’s Internet Storm Centre offers a handy visual guide to help make sense of the relative importance of relevance of these many updates.

READ MORE Microsoft bug bounty payouts trebled to reach nearly $14 million in the last year