This month’s Microsoft Patch Tuesday addresses 58 vulnerabilities with 9 of them labeled as Critical. The 9 Critical vulnerabilities cover Exchange, SharePoint, Hyper-V, Chakra Scripting, and several other workstation vulnerabilities. Adobe released patches today for Experience Manager, Prelude, Lightroom and pre-notification security advisory for Acrobat and Reader.
Today’s Patch Tuesday fixes vulnerabilities that would impact workstations. The Office, Edge, Chakra vulnerabilities should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
Microsoft Exchange RCE
Microsoft patched five Remote Code Execution vulnerabilities in Exchange (CVE-2020-17141, CVE-2020-17142, CVE-2020-17144, CVE-2020-17117, CVE-2020-17132), which would allow an attacker to run code as system by sending a malicious email. Microsoft does rank them as “Exploitation Less Likely,” but due to the open attack vector, these patches should be prioritized on all Exchange Servers.
Microsoft patched two RCEs (CVE-2020-17121 and CVE-2020-17118) in SharePoint. CVE-2020-17121 allows an authenticated attacker to gain access to create a site and execute code remotely within the kernel. Because of this, it is highly recommended to prioritize these patches across all SharePoint deployments.
Microsoft also patched an RCE vulnerability in Hyper-V (CVE-2020-17095) which allows an attacker to run malicious programs on Hyper-V virtual machine to execute arbitrary code on the host system when it fails to properly validate vSMB packet data. This should be prioritized on all Hyper-V systems.
Windows NTFS RCE
While listed as Important, there is a RCE vulnerability (CVE-2020-17096) in Microsoft Windows. A local attacker could exploit this vulnerability to elevate the attacker’s privileges or a remote attacker with SMBv2 access to affected system could send malicious requests over the network.
Windows Lock Screen Security Bypass
An important vulnerability is patched by Microsoft (CVE-2020-17099) where an attacker with physical access to the target system could perform actions on a locked system, thereby executing code from Windows lock screen in the context of the active user session. This patch should be prioritized across all Windows devices.
Adobe issued patches today covering multiple vulnerabilities in Adobe Experience Manager, Lightroom, Prelude and Pre-notification Security Advisory for Acrobat and Reader. The patches for Experience Manager and Acrobat/Reader are labeled as Priority 2 , while the remaining patches are set to Priority 3.
While none of the vulnerabilities disclosed in Adobe’s release are known to be Actively Attacked today, all patches should be prioritized on systems with these products installed.