September, 2020: Patch Monday: MS Exploit Code Released

Welcome to this September Patch Monday Bulletin. This month there are patches from Adobe, Apple, Google, and Mozilla. While there were no known attacks to products listed in this bulletin there was a reliable exploit released for a Microsoft patch this month. The vulnerability dubbed “Zerologon” was part of the August MS patch release, so it is imperative that these patches get updated as soon as possible. Zerologon allows an attacker to “instantly become domain admin by subverting Netlogon cryptography” from any domain joined machine. Since the technical details were released on September 11th there have been numerous PoC’s released on github. Needless to say, this is the top priority for the month. If August MS patches have been deployed, then work on testing and deploying updates for Chrome and Firefox. There were no priority 1 updates to Adobe products this month but Adobe Experience Manager (AEM) is rated a priority 2 and worthy of reviewing. Following AEM, review your environment for iCloud for Windows and the remaining Adobe products.

Over the years we've had millions of visitors to UltimateWindowsSecurity.com. Every month we have thousands and thousands of visitors to our Security Log Encyclopedia which documents all of the Security Log event ID’s for Windows Server OS’s. Back in 2007 when SharePoint added auditing capability, I realized that my audience not only needed the event information from SharePoint but I also found a similar need in SQL Server and Exchange. So not only did I document the data but I also started to develop the means to extract that event data from these applications so that it’s accessible and useable to the end user. Some 8 years later and LOGbinder is continuing to grow as companies realize LOGbinder bridges the gap between these applications and their infosec team. Visit LOGbinder.com to download a free 30-day fully functional trial and see the security event data that you have literally been missing.

So, without further ado, here’s the chart of non-MS patches this month.

Patch data provided by:

Identifier

Vendor/Product

Product Version Affected

Date Released by Vendor

Vulnerability Info

Vendor
Severity / Our Recommendation

Multiple CVE’s

Adobe Media Encoder

14.3.2 and earlier

9/15/2020

Information Disclosure

Important Priority 3: Update at admin’s discretion

Multiple CVE’s

Adobe Experience Manager

Experience Manager

6.6.6.0 and earlier

6.4.8.1 and earlier

6.3.3.8 and earlier

6.2 SP1-CFP20 and earlier

AEM Forms add-on

Forms Service Pack 5 add-on package AEM 6.5.5.0

Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 1

 

9/8/2020

Cross Site Scripting, Information Disclosure, HTML Injection

Critical Priority 2: Update within 30 days

Multiple CVE’s

Adobe Framemaker

2019.0.6?and below

9/8/2020

Arbitrary Code Execution

Critical Priority 3: Update at admin’s discretion

Multiple CVE’s

Adobe InDesign

15.1.1 and below

9/8/2020

Arbitrary Code Execution

Critical Priority 3: Update at admin’s discretion

CVE-2020-9952

iCloud for Windows

Win 7 before 7.21

Win 10 before 11.4

9/24/2020

Cross Site Scripting

Update after testing

Multiple CVE’s

Google Chrome

Before 85.0.4183.121

9/21/2020

Information Disclosure, Security Bypass, Use After Free

Update after testing

Multiple CVE’s

Mozilla Firefox

Before Firefox 81/ESR 78.3

9/22/2020

Spoofing, Cross Site Scripting, Use After Free,

Update after testing

Multiple CVE’s

Mozilla Thunderbird

Before 78.3

9/22/2020

Spoofing, Cross Site Scripting, Use-After-Free, Privilege Escalation,  

Update after testing