Microsoft has fixed 129 CVEs this Patch Tuesday, the seventh month in a row that the number has exceeded 100.
The September line-up for system administrators included 23 critical vulnerabilities, mostly affecting Windows OS and browsers, although none have been exploited or publicly disclosed.
SharePoint also accounts for seven of the critical bugs fixed this month, all of which could lead to remote code execution (RCE).
“Five of these vulnerabilities (CVE-2020-1200, CVE-2020-1210, CVE-2020-1452, CVE-2020-1453, CVE-2020-1576) involve uploading a malicious application package, and one (CVE-2020-1460) involves user-created content,” explained Qualys senior director of product management, Jimmy Graham.
“The remaining vulnerability (CVE-2020-1595) is a deserialization vulnerability in SharePoint APIs. Because of this, it is highly recommended to prioritize these patches across all SharePoint deployments.”
Another flaw highlighted by experts as a priority is an RCE bug in Exchange 2016 and 2019 with a CVSS score of 9.1 (CVE-2020-16875).
“The vulnerability is a memory corruption vulnerability, which means all an attacker has to do is send a specially crafted email to exploit it,” said Allan Liska, senior security architect at Recorded Future.
“Both cyber-criminal and nation state threat actors are looking to exploit Microsoft Exchange because so many large enterprises rely on it. For example, CVE-2020-0688 was disclosed in February of this year and by early March exploits were being discussed on underground forums, and vulnerable systems were being scanned and exploited.”
Another, CVE-2020-0922, is an RCE bug in Microsoft COM for Windows, which affects Windows 7-10 and Windows Server 2008-2019.
“The vulnerability exists in the way Microsoft COM handles objects in memory and, when exploited, would allow an attacker to execute arbitrary scripts on a victim machine. To exploit a vulnerability an attacker would need to get a victim to execute a malicious JavaScript on the victim’s machine,” said Liska.
“If this vulnerability is eventually weaponized, it would be in line with recent trends of attackers using so-called fileless malware in their attacks by sending phishing emails with malicious scripts as attachments.”
Google also released a security update yesterday fixing five security vulnerabilities in Chrome rated “high,” its second highest severity rating.