Microsoft Patch Tuesday, September 2020 Edition – Krebs on Security


Microsoft Today released an update to address about 130 security vulnerabilities in its The windows Operating System and Supported Software. None of the faults are currently known to be under active exploitation, but 23 of them can be used by malware or malcontents to allow users to seize complete control of a Windows computer with little or no help.

Most of Microsoft’s various Windows operating systems and its web browsers encounter a number of dangerous or “significant” bugs, Internet explorer And Gush. In the seventh month of September in a row, Microsoft has sent improvements to its products for more than 100 flaws, and for the fourth consecutive month that fixed it at over 120.

The main concerns for this month’s enterprises are CVE-2020-16875, which includes a significant flaw in email software Microsoft Exchange Server 2016 and 2019. An attacker can take advantage of an Exchange bug to run a code of their choosing just by sending a stranded email to a vulnerable Exchange server.

“It’s not quite worrying, but it’s about the worst case scenario for Exchange Server,” said Dustin Children, Of Zero Day Initiative of Trend Micro. “We have seen the earlier exchange bug bug CVE-2020-0688 being used in the forest, and this requires authentication. We will see it in the wild soon. This should be your top priority. ”

Also not great for companies CVE-2020-1210, which is a remote code execution flaw in supported versions Microsoft sharing Document management software that can attack bad guys by uploading a file to a bad SharePoint site. Security firm Worth Note that this bug is reminiscent of CVE-2019-0604, another sharepoint problem for cyber crime benefits since April 2019.

Microsoft fixed at least five other serious bugs in Sharepoint versions 2010 through 2019 that can also be used to compromise the system running this software. Because ransomware purveyors have a history of capturing sharepoint flaws to wreak havoc within enterprises, companies should definitely prioritize deployment of these improvements, say Alan Liska, Senior Security Architect at Future recorded.

Toad scall On Ivanti Reminds us that Patch Tuesday is not just about Windows Update: Google has sent an important update to its Chrome browser that fixes at least five security flaws that are rated as high severity. If you use Chrome and see an icon featuring a small upward arrow inside a circle to the right of the address bar, it’s time to update. Chrome should be shut down and restarted and applied pending updates.

Once again, no security updates are available for today Adobe flash player, Although the company shipped a non-security software update for the browser plugin. The last time Flash received a security update was in June 2020, which researchers could suggest and / or the attackers stopped looking for flaws in it. Adobe says it will retire the plugin later this year, and Microsoft has said that it plans to completely remove the program from all Microsoft browsers through Windows Update by then.

Before updating with this month’s patch batch, please make sure you have backed up your system and / or important files. It is not uncommon for Windows updates to hose someone’s system or prevent it from booting properly, and some updates are known to erase or corrupt files.

So do yourself a favor and backup before this Installing any patch. Windows 10 also has some built-in tools to help you do this, either on a per-file / folder basis or by making a complete and bootable copy of your hard drive at once.

And if you want to make sure that Windows Update is set to stop, you can back up your files and / or systems before you reboot the operating system and install the patch on your own time To decide, see this guide.

As always, if you experience glits or problems installing any of these patches in this month, please consider leaving a comment about it below; There is a better chance that other readers have experienced the same and can chime in here with some useful tips.

Tags: Alan Liska, CVE-2010-1210, CVE-2010-10, D5, Dustin Children, Ivanti, Microsoft Exchange Server, Microsoft Patch Tuesday 2000 September, Microsoft Sharepoint, Recorded Future, Tenable, Todd Scal, Zero Day Initiative