In a Patch Tuesday to rival June’s security update, Microsoft fixed 129 new software vulnerabilities, including 23 critical flaws, impacting multiple platforms, including the Windows Graphic Device Interfaces (GDI), Microsoft SharePoint and Microsoft Exchange Server.
Justin Knapp, Automox product marketing manager, attributed the patch laundry list to a remote workforce not going back to offices en masse any time soon.
“While there are fortunately no zero-day surprises to worry about this month,” Knapp said of the “massive release,” a “failure to resolve these vulnerabilities in a timely fashion creates unnecessary exposure and risk at a time when attackers are looking to take advantage of a growing attack surface and exploit the additional exposure that remote workers introduce.”
“While there are no public disclosures or exploited CVEs this month there are a few issues to be concerned about. Microsoft SharePoint has a number of Critical vulnerabilities this month including CVE-2020-1210 which has a CVSS score of 9.9,” said Todd Schell, senior product manager, security, at Ivanti. “Microsoft Exchange has one CVE with a CVSS score of 9.1 (CVE-2020-16875) which could allow remote code execution if an attacker sends a specially crafted email to the affected Exchange Server. Also, CVE-2020-0761 is another remote code execution vulnerability affecting Active Directory when integrated with DNS (ADIDNS). This vulnerability has a CVSS score of 8.8.”
The critical GDI+ RCE Vulnerability (CVE-2020-1285) is a result of the way the Windows Graphic Device Interface handles objects in memory, providing both web-based and file-sharing attack scenarios that could introduce multiple vectors for an attacker to gain control of a system. “Given the extensive list of Windows and Windows Server versions impacted and the lack of a workaround or mitigation, this is a vulnerability that should be patched immediately,” Knapp said.
The critical RCE flaw within Visual Studio (CVE-2020-16874), present in multiple versions dating back to 2012, could allow an attacker to take control of the affected system and gain the ability to install programs; view, change or delete data; or create new accounts with full user rights, Knapp pointed out.
The critical Microsoft Exchange Server vulnerability (CVE-2020-16875), corrupts memory due to improper handling of objects, said Satnam Narang, staff research engineer at Tenable.
“Exploitation of this flaw would simply require an attacker to send a malicious email containing the exploit code to a vulnerable Exchange server,” said Narang, adding that the flaw would allow the attacker to run arbitrary code, which could grant them access to create new accounts, access, modify or remove data, and install programs.
Two critical CRE vulnerabilities (CVE-2020-1508 and CVE-2020-1593) were found in the Windows Media Audio Encoder, targeting how the encoder handles objects, notes Jay Goodman, Automax strategic product marketing manager. An adversary could use this vulnerability in a malicious document or webpage to take control of the impacted system, Goodman added.
Microsoft issued more than half-dozen patches for critical vulnerabilities found in Sharepoint (CVE-2020-1452, 1453, 1576, 1200, 1210, and 1595). “Given the nature of the vulnerability, there are no mitigating recommendations besides patching,” Goodman said.
“Unfortunately, this set of seven remote code execution vulnerabilities (CVE-2020-1576, CVE-2020-1452, CVE-2020-1453, CVE-2020-1200, CVE-2020-1460, CVE-2020-1210, CVE-2020-1595) and the one tampering vulnerability (CVE-2020-1523) is not marked as applying to the same set of vulnerable SharePoint editions each time,” said Richard Tsang, senior software engineer, Rapid7.
As a result, “getting an accurate risk score based off of those vulnerabilities to prioritize would require a bit more work,” said Tsang. “However, given the severity of these vulnerabilities, it's recommended to patch up SharePoint servers next just to be safe.
When exploited all the RCE vulnerabilities could allow arbitrary code to run under the context of the SharePoint application pool, and affect different aspects of the products from when source markup is validated (CVE-2020-1210) to handling of untrusted data against susceptible API endpoints (CVE-2020-1595),” he explained.
Another critical RCE exploit for Sharepoint Server (CVE-202-1460) improperly identifies and filtered ASP.Net web controls, said Goodman. “Exploitation requirements are a bit more involved as a malicious threat actor must be authenticated and additionally have crafted a special SharePoint page in order to perform actions in the context of the SharePoint application pool process.”
Sharepoint vulnerability (CVE-2020-1210) is the result of a failure to check an application package’s source markup, Narang explained, adding that to exploit this flaw, an attacker would need to be able to upload a SharePoint application package to a vulnerable SharePoint site.
Windows Codecs Library contained a pair of critical bugs (CVE-2020-1129 and CVE-2020-1319) that can be exploited simply by crafting a malicious image file and having any program process the malicious image.
Two critical RCE flaws (CVE-2020-16857 and CVE-2020-16892) found in Microsoft Dynamics 365 (on-premises) for finance and operations would allow an attacker to steal documents and data deemed critical.
Finally, the tech giant provided a patch (CVE-2020-0922) for Microsoft Common Object Model (COM) to prevent an attacker to execute malicious code on a victim machine.