This article is more than 1 year old

Enjoyed the US Labor Day weekend? Because it's September 2020 and Exchange Server can be pwned via email

Don't be so smug, Mac users, you're open to an InDesign project file

A nightmare flaw for Exchange Server headlines this month's Patch Tuesday lineup from Microsoft and others.

September sees a bundle of 129 CVE-listed flaws patched by Microsoft. The vast majority of those, 105 in total, are classified as 'important' risks. Another 23 are considered critical bugs, and one is listed as moderate.

None of the bugs have public exploit code or in-the-wild attacks yet.

Of the nearly two-dozen critical patches, Zero Day Initiative's Dustin Childs says that far and away the most serious is CVE-2020-16875, a memory object error in Exchange Server that allows a poisoned email to execute code with System clearance.

"That doesn’t quite make it wormable, but it’s about the worst-case scenario for Exchange servers," Childs explained.

"We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, and that requires authentication. We’ll likely see this one in the wild soon."

Also getting the attention of experts was CVE-2020-0922, a remote code execution vulnerability in Microsoft COM, a component of Windows that is used by multiple applications, but most notably web browsers.

"Since this bug resides in COM, there are likely multiple applications that could be impacted by this flaw," notes Childs.

Other critical flaws include CVE-2020-1129, in the HEVC codec, and CVE-2020-1285, remote code execution in the Windows GDI.

Two critical bugs were spotted in the on-prem version of Dynamics 365 (CVE-2020-16857, CVE-2020-16862) and seven were found to reside in SharePoint (CVE-2020-1200, CVE-2020-1210, CVE-2020-1452, CVE-2020-1453, CVE-2020-1576, CVE-2020-1595.)

Microsoft's browsers themselves were spared the usual laundry-list of code execution bugs. Only two (CVE-2020-1057, CVE-2020-1172 were found in the scripting engine this month.

Moving on to Office, this month's bugs include four remote code execution flaws in Excel (CVE-2020-1193, CVE-2020-1332, CVE-2020-1335, CVE-2020-1594) and two in Word (CVE-2020-1218, CVE-2020-1338.)

Intel drops critical fix for AMT/ISM

Of the four patches released this month by Intel, the most serious looks to the fix for CVE-2020-8758, an elevation of privilege bug in Active Management Technology and Standard Manageability.

While elevation of privilege flaws are generally not considered serious in software-land, when you're talking about Intel firmware, it's a massive security risk, and this flaw has been given a CVSS score of 9.8.

"Improper buffer restrictions in network subsystem in provisioned Intel(R) AMT and Intel(R) ISM versions before 11.8.79, 11.12.79, 11.22.79, 12.0.68 and 14.0.39 may allow an unauthenticated user to potentially enable escalation of privilege via network access," Chipzilla warns.

"On un-provisioned systems, an authenticated user may potentially enable escalation of privilege via local access."

The internal Intel team of Yaakov Cohen, Yocheved Butterman and Yossef Kuszer got credit for the discovery.

The Intel BIOS was the subject of two different bulletins this month. Both addressed for multiple elevation of privilege, denial of service, and information disclosure flaws.

The remaining Intel bulletin was a fix for an escalation of privilege flaw (CVE0-2020-12302) in the Intel Driver and Support Assistant.

Adobe warns of critical InDesign flaws

For Adobe, this month's fixes include five critical remote code execution vulnerabilities in InDesign. These bugs only look to affect the macOS version of InDesign, though the 15.1.2 update will apply to both Windows and Mac systems. Credit for the discovery went to Kexu Wang of FortiGuard labs.

Also getting patched up was FrameMaker, where two remote code execution bugs (CVE-2020-9726, CVE-2020-9725) were addressed. Credit for those finds went to an anonymous contributor of the Zero Day Initiative.

Finally, there is Adobe Experience Manager, where a total of 11 CVE-listed bugs were patched. Of those, five are cross-site scripting errors Adobe considered to be critical risks for Experience Manager (as a content management tool, XSS bugs can be particularly dangerous). The other six flaws are all listed as 'important' risks and include HTML injection, stored cross-site scripting, and one elevation of privilege flaw.

SAP updates earlier bulletins

Of the sixteen security notes posted this month by SAP, the highest ratings were actually for updates to earlier bulletins, one for a Match patch in SAP Solution Manager and another for the April update to SAP Business Client. Updates were also issued for the August and June patches to NetWeaver.

New patches this month include a fix for improper access control in SAP Marketing (CVE-2020-6320) and code injection in NetWeaver (CVE-2020-6318). ®

More about


Send us news

Other stories you might like