Microsoft yesterday begun rolling out its September 2020 Patch Tuesday update. As always, this is a monthly cumulative update that fixes security and other issues in Windows and other Microsoft services. According to the company, this month's patch event was a busy one.
In fact, Microsoft points to a total of 129 security flaws it dealt with through this September Patch Tuesday release. Of those, 23 have been classified as critical, while 105 are “important” and one “moderate”.
While it's never good news to have a bunch of critical flaws, Microsoft says none of the 129 security issues have been exploited in the wild.
Windows was home to most of the critical vulnerabilities, although Microsoft Edge and the aging Internet Explorer also host some. However, it's in Microsoft Exchange Server 2016 and 2019 where arguably the most problematic bug was found.
Specifically, CVE-2020-16875 is a critical flaw in Microsoft Exchange Server that would allow a bad actor to run any code they choose. To do so, the attacker would send an infected email to a vulnerable server.
Dustin Childs of Trend Micro's Zero Day Initiative points out the bug is extremely problematic:
“That doesn't quite make it wormable, but it's about the worst-case scenario for Exchange servers,” Childs says. “We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, and that requires authentication. We'll likely see this one in the wild soon. This should be your top priority.”
Another noteworthy flaw Microsoft is fixing during September Patch Tuesday is CVE-2020-1210. This is a remote execution vulnerability found in Microsoft SharePoint. Attackers could compromise the service by uploading a malicious file.
Any user updating to the latest patch should back up their system and important files. There have been enough issues with Patch Tuesday rollouts to suggest they cannot be trusted to not mess something up on your machine.
There has been an increasing issue where Microsoft patches are fixing one issue but causing others. We have seen this recently with a fix for Windows Search that has left users unable to boot their PCs.
In April, that month's release also triggered BSODs in Windows 10. In March, the cumulative update left Microsoft Defender not showing some files. Last month's batch was reportedly causing BSOD errors for some Windows 10 users.