Administrators will want to focus their patching duties on multiple vulnerabilities affecting SharePoint and a critical bug on Exchange Server systems for September Patch Tuesday.
Bug leaves Exchange Server systems vulnerable
Microsoft’s on-premises messaging platform continues to draw significant interest from malicious actors. Email attacks in the form of a phishing attempt can target users or they can take the form of a specially constructed message that uses a loophole to overtake the Exchange Server system.
Exchange administrators will want to address a critical remote code execution vulnerability in Exchange Server (CVE-2020-16875) that affects Exchange Server 2016 and 2019. The attacker could trigger the exploit using a specially crafted email to the Exchange system which would allow them to run code in the context of the system user to perform a variety of actions, including install programs, create new accounts and delete data.
Microsoft offered additional guidance for administrators who manually apply the security update at this link. Microsoft warned that some files might not update properly this way.
“When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. However, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working,” according to the documentation. “This issue occurs on servers that are using User Account Control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services.”
Microsoft corrects multiple critical bugs in SharePoint
SharePoint also continues to draw unwanted attention from malicious actors looking to find a way to infiltrate an organization’s infrastructure. For September Patch Tuesday, Microsoft closed seven critical vulnerabilities (CVE-2020-1452, CVE-2020-1460, CVE-2020-1453, CVE-2020-1576, CVE-2020-1200, CVE-2020-1210, CVE-2020-1595) in the collaboration product and 13 others rated important. Counting this month’s Patch Tuesday, Microsoft corrected 93 unique vulnerabilities for SharePoint this year, overshadowing the 23 unique vulnerabilities from the same time frame last year.
SharePoint is crucial to many enterprises for its document management features, connecting users to on-premises resources and integrating with Microsoft’s cloud services, including OneDrive for storage and Microsoft Teams for real-time chat and video conferencing. SharePoint’s integration capabilities are one of its strengths, but it comes at the expense of widening the attack vector.
“There’s definitely more people dabbling and looking for ways to take advantage of the interactions on the SharePoint platform,” said Chris Goettl, director of product management and security at Ivanti, a security and IT management vendor based in South Jordan, Utah. “It’s something that people need to be conscious of and keep that platform up to date. The more dependent you are to SharePoint and it becomes more commonplace, then they can look for exploits on a system that a lot of people are using.”
Other notable fixes released on September Patch Tuesday
- The Microsoft Windows Codecs Library has two vulnerabilities (CVE-2020-1319, CVE-2020-1129). Both are remote-code execution bugs affecting Windows 10 and several Windows Server versions. The vulnerable system would need to view a specially crafted image to execute the attack.
- CVE-2020-1285 is a critical remote-code execution vulnerability in the Windows Graphics Device Interface (GDI) affecting all supported Windows client and server systems. Microsoft’s documentation details two possible attack scenarios, one launched from a website and the other from a file. In the former, a user would have to open an email attachment or click on a link that leads to the specially crafted website that houses the exploit. In the file-sharing scenario, the user would have to open a document that includes the exploit. If the attack is successful, the malicious actor would be limited by the rights of the affected user.
- Active Directory has two information disclosure vulnerabilities rated important (CVE-2020-0664, CVE-2020-0856) affecting supported Windows Server systems that could let an attacker see sensitive information. The attacker would need to send a specially crafted request to the Active Directory DNS service to exploit the bug.
Some WSUS deployments might require proxy change
Some administrators might feel additional stress this Patch Tuesday if they find some of their Windows machines cannot receive this month’s security updates. Microsoft issued a blog after it released the September Patch Tuesday updates to warn administrators of updated security requirements for WSUS deployments that, if not followed, could cause patching issues with Windows client systems.
“To ensure that your devices remain inherently secure, we are no longer allowing HTTP-based intranet servers to leverage user proxy by default to detect updates. If you have a WSUS environment not secured with TLS protocol/HTTPS and a device requires a proxy in order to successfully connect to intranet WSUS Servers — and that proxy is only configured for users (not devices) — then your software update scans against WSUS will start to fail after your device successfully takes the September 2020 cumulative update,” the company wrote in a blog on its Windows IT Pro site.
The company explained it made the change to improve security for organizations that use multiple WSUS servers, because one downstream server that uses HTTP rather than HTTPs increases the chance of an attack. Microsoft indicated administrators who use HTTP and a user-based proxy for client scans will need to either switch all WSUS servers to HTTPs or change to a system-based proxy to avoid problems with update scans.
Bug bounties might be factor in patch surge
September Patch Tuesday’s 129 fixes mark the seventh Patch Tuesday in a row of more than 100 unique vulnerabilities in Microsoft’s monthly security updates. In August, the company reported it had paid out $13.7 million in bounties over the last 12 months compared with the $4.4 million it paid in the previous 12 months.
“This year, we launched six new bounty programs and two new research grants, attracting over 1,000 eligible reports from over 300 researchers across [six] continents. In addition to the new bounty programs, COVID-19 social distancing appears to have had an impact on security researcher activity; across all 15 of our bounty programs we saw strong researcher engagement and higher report volume during the first several months of the pandemic,” the company wrote in Microsoft Security Response Center blog.
With Microsoft offering as much as $250,000 for a fix for some products, it’s possible the increase in patches this year has been a factor as more security researchers try to uncover vulnerabilities in Microsoft’s sizable product portfolio.
“Microsoft is one of many vendors who have recognized the value in a bug bounty program that helps them improve security of their solutions but at a cheaper cost than sending their own engineers to find it,” Goettl said.