Enjoyed the US Labor Day weekend? Because it's September 2020 and Exchange Server can be pwned via email
Don't be so smug, Mac users, you're open to an InDesign project file
A nightmare flaw for Exchange Server headlines this month's Patch Tuesday lineup from Microsoft and others.
September sees a bundle of 129 CVE-listed flaws patched by Microsoft. The vast majority of those, 105 in total, are classified as 'important' risks. Another 23 are considered critical bugs, and one is listed as moderate.
None of the bugs have public exploit code or in-the-wild attacks yet.
Of the nearly two-dozen critical patches, Zero Day Initiative's Dustin Childs says that far and away the most serious is CVE-2020-16875, a memory object error in Exchange Server that allows a poisoned email to execute code with System clearance.
"That doesn’t quite make it wormable, but it’s about the worst-case scenario for Exchange servers," Childs explained.
"We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, and that requires authentication. We’ll likely see this one in the wild soon."
Also getting the attention of experts was CVE-2020-0922, a remote code execution vulnerability in Microsoft COM, a component of Windows that is used by multiple applications, but most notably web browsers.
"Since this bug resides in COM, there are likely multiple applications that could be impacted by this flaw," notes Childs.
Two critical bugs were spotted in the on-prem version of Dynamics 365 (CVE-2020-16857, CVE-2020-16862) and seven were found to reside in SharePoint (CVE-2020-1200, CVE-2020-1210, CVE-2020-1452, CVE-2020-1453, CVE-2020-1576, CVE-2020-1595.)
Intel drops critical fix for AMT/ISM
Of the four patches released this month by Intel, the most serious looks to the fix for CVE-2020-8758, an elevation of privilege bug in Active Management Technology and Standard Manageability.
While elevation of privilege flaws are generally not considered serious in software-land, when you're talking about Intel firmware, it's a massive security risk, and this flaw has been given a CVSS score of 9.8.
"Improper buffer restrictions in network subsystem in provisioned Intel(R) AMT and Intel(R) ISM versions before 11.8.79, 11.12.79, 11.22.79, 12.0.68 and 14.0.39 may allow an unauthenticated user to potentially enable escalation of privilege via network access," Chipzilla warns.
"On un-provisioned systems, an authenticated user may potentially enable escalation of privilege via local access."
The internal Intel team of Yaakov Cohen, Yocheved Butterman and Yossef Kuszer got credit for the discovery.
The remaining Intel bulletin was a fix for an escalation of privilege flaw (CVE0-2020-12302) in the Intel Driver and Support Assistant.
Adobe warns of critical InDesign flaws
For Adobe, this month's fixes include five critical remote code execution vulnerabilities in InDesign. These bugs only look to affect the macOS version of InDesign, though the 15.1.2 update will apply to both Windows and Mac systems. Credit for the discovery went to Kexu Wang of FortiGuard labs.
Also getting patched up was FrameMaker, where two remote code execution bugs (CVE-2020-9726, CVE-2020-9725) were addressed. Credit for those finds went to an anonymous contributor of the Zero Day Initiative.
Finally, there is Adobe Experience Manager, where a total of 11 CVE-listed bugs were patched. Of those, five are cross-site scripting errors Adobe considered to be critical risks for Experience Manager (as a content management tool, XSS bugs can be particularly dangerous). The other six flaws are all listed as 'important' risks and include HTML injection, stored cross-site scripting, and one elevation of privilege flaw.
SAP updates earlier bulletins
Of the sixteen security notes posted this month by SAP, the highest ratings were actually for updates to earlier bulletins, one for a Match patch in SAP Solution Manager and another for the April update to SAP Business Client. Updates were also issued for the August and June patches to NetWeaver.
New patches this month include a fix for improper access control in SAP Marketing (CVE-2020-6320) and code injection in NetWeaver (CVE-2020-6318). ®