Welcome to our Patch Tuesday recap for September 8, 2020. This month’s patches fix 129 vulnerabilities, 20 of which have been designated ‘Critical’ by Microsoft. None of the vulnerabilities have been publicly disclosed prior to patching or exploited in the wild.
Windows
Microsoft’s OS was patched for a particularly dangerous vulnerability that allowed for an attacker to execute arbitrary code with system privileges. The attacker would have to convince the user to run a maliciously crafted application or execute code some other way before using this exploit to elevate privileges. Microsoft has rated this vulnerability as “Critical” with “Exploitation Less Likely” currently.
Microsoft Dynamics 365
Microsoft Dynamics 365 servers were patched for a vulnerability where the server failed to sanitize web requests to an affected Dynamics server. The SQL service account would run the commands in the web request from an authenticated user, within its own context. Microsoft also patched a vulnerability where an authenticated attacker could send a maliciously crafted file to the Dynamics server, and, when processed, would result in script execution. Microsoft rates both vulnerabilities as “Critical.”
Exchange Server
Exchange servers were vulnerable to a particularly notable exploit in which a specially crafted email could cause the server to execute arbitrary code with system-level privileges. This exploit requires no user interaction and is a top priority for patching due to its severity. Microsoft rates this vulnerability as “Critical” and “Less Likely for Exploit” currently.
Office
Office received its usual attention for the month. Excel and Word both had multiple remote code execution vulnerabilities patched this month. All the vulnerabilities would have executed code within the context of the current user, reminding us to exercise the principle of least privilege.
Research Team, BeyondTrust
Identity security threats are escalating at an alarming rate. Driven by the rapid evolution of technology, the increasing sophistication of malicious actors, and an ever-expanding attack surface, it is more important than ever that organizations adopt robust identity security measures that are capable of keeping pace ever-evolving attacks.
The BeyondTrust research and detection engineering teams believe the best way to fully understand cybersecurity threats is to work closely with our customers and partners, conducting real world research into the attacks that matter most to them. By dissecting emerging attack methods and exploitation techniques of threat actors as well as conducting novel research the teams mission is to help organizations defend against identity threats.