September, 2020: Patch Tuesday: Critical Browser and Exchange Vulnerabilities

Welcome to this September Tuesday Bulletin. This was another huge month of updates for Microsoft with 129 unique CVE’s, 8 technologies with critical updates, but no actively attacked or disclosed vulnerabilities. Even though there were no vulnerabilities attacked in the wild it is important to pay attention to the critical browser and Exchange vulnerabilities. Test, deploy, and verify updates for IE, Edge, Exchange. The Exchange vulnerability could be particularly nasty given that MS states “Exploitation of the vulnerability requires that a specially crafted email be sent to a vulnerable Exchange server”. The impact would be very high if an adversary were to develop an exploit to execute this attack. Make sure that updates for Windows and Office vulnerabilities are a high priority since these platforms are always enticing targets for adversaries.

Over the years we've had millions of visitors to UltimateWindowsSecurity.com. Every month we have thousands and thousands of visitors to our Security Log Encyclopedia which documents all of the Security Log event ID’s for Windows Server OS’s. Back in 2007 when SharePoint added auditing capability, I realized that my audience not only needed the event information from SharePoint but I also found a similar need in SQL Server and Exchange. So not only did I document the data but I also started to develop the means to extract that event data from these applications so that it’s accessible and useable to the end user. Some 8 years later and LOGbinder is continuing to grow as companies realize LOGbinder bridges the gap between these applications and their infosec team. Visit LOGbinder.com to download a free 30-day fully functional trial and see the security event data that you have literally been missing.

So, without further ado, here’s the chart of MS patches this month.

Patch data provided by:

Technology

Products Affected

Severity

Reference

Workaround/ Exploited

Vulnerability Info

Windows

Windows 8.1, RT 8.1, 10

Server 2012, 2016, 2019

Critical

CVE-2020-1471

CVE-2020-1507

CVE-2020-1532

CVE-2020-1590

CVE-2020-1592

CVE-2020-0648

CVE-2020-0664

CVE-2020-0718

CVE-2020-0790

CVE-2020-0805

CVE-2020-0837

CVE-2020-0839

CVE-2020-0914

CVE-2020-0922

CVE-2020-0928

CVE-2020-0941

CVE-2020-0951

CVE-2020-1013

CVE-2020-1034

CVE-2020-1038

CVE-2020-1039

CVE-2020-1122

CVE-2020-1130

CVE-2020-1146

CVE-2020-1169

CVE-2020-1285

CVE-2020-0997

CVE-2020-1376

CVE-2020-1491

CVE-2020-1508

CVE-2020-1559

CVE-2020-1589

CVE-2020-1593

CVE-2020-1596

CVE-2020-1598

CVE-2020-0761

CVE-2020-0766

CVE-2020-0782

CVE-2020-0836

CVE-2020-0838

CVE-2020-0856

CVE-2020-0870

CVE-2020-0875

CVE-2020-0886

CVE-2020-0890

CVE-2020-0904

CVE-2020-0908

CVE-2020-0911

CVE-2020-0912

CVE-2020-0921

CVE-2020-0989

CVE-2020-0998

CVE-2020-1030

CVE-2020-1031

CVE-2020-1033

CVE-2020-1052

CVE-2020-1053

CVE-2020-1074

CVE-2020-1083

CVE-2020-1091

CVE-2020-1097

CVE-2020-1098

CVE-2020-1115

CVE-2020-1119

CVE-2020-1129

CVE-2020-1133

CVE-2020-1152

CVE-2020-1159

CVE-2020-1228

CVE-2020-1245

CVE-2020-1250

CVE-2020-1252

CVE-2020-1256

CVE-2020-1303

CVE-2020-1308

CVE-2020-1319

CVE-2020-16854

CVE-2020-16879

*Workaround: No

**Public: No

Exploited: No

Elevation of Privilege

Information Disclosure

Remote Code Execution

Security Feature Bypass

Spoofing

Denial of Service

 

Edge

HTML-based (Legacy)

Critical

CVE-2020-0878

CVE-2020-1057

CVE-2020-1172

CVE-2020-1180

*Workaround: No

**Public: No

Exploited: No

Remote Code Execution

Edge

Chromium-Based

Important

CVE-2020-16884

*Workaround: No

**Public: No

Exploited: No

Remote Code Execution

ChakraCore

ALL

Critical

CVE-2020-0878

CVE-2020-1057

CVE-2020-1172

CVE-2020-1180

*Workaround: No

**Public: No

Exploited: No

Remote Code Execution

Internet Explorer

IE 11

Critical

CVE-2020-0878

CVE-2020-1506

CVE-2020-1012

*Workaround: No

**Public: No

Exploited: No

Remote Code Execution

Elevation of Privilege

 

SQL Server

SQL Server Reporting Services 2017, 2019

Moderate

CVE-2020-1044

*Workaround: No

**Public: No

Exploited: No

Security Feature Bypass

Office, Office Services and Web Apps

Excel 2010, 2013, 2016

Office 2010, 2013, 2016, 2016 for Mac, 2019, 2019 for Mac

Online Server

Web Apps 2010, 2013

SharePoint Enterprise server 2013, 2016

SharePoint Foundation 2010, 2013

SharePoint 2010, 2019

Word 2010, 2013, 2016

OneDrive for Windows

365 Apps for Enterprise

Critical

CVE-2020-1193

CVE-2020-1198

CVE-2020-1200

CVE-2020-1205

CVE-2020-1210

CVE-2020-1218

CVE-2020-1224

CVE-2020-1227

CVE-2020-1332

CVE-2020-1335

CVE-2020-1338

CVE-2020-1345

CVE-2020-1440

CVE-2020-1452

CVE-2020-1453

CVE-2020-1460

CVE-2020-1482

CVE-2020-1514

CVE-2020-1523

CVE-2020-1575

CVE-2020-1576

CVE-2020-1594

CVE-2020-1595

CVE-2020-16851

CVE-2020-16852

CVE-2020-16853

CVE-2020-16855

*Workaround: No

**Public: No

Exploited: No

Elevation of Privilege

Information Disclosure

Remote Code Execution

Spoofing

Tampering

 

Dynamics

Dynamics 365

Dynamics

Dynamics 365 for Finance and Operations

Critical

CVE-2020-1182

CVE-2020-16857

CVE-2020-16858

CVE-2020-16859

CVE-2020-16860

CVE-2020-16861

CVE-2020-16862

CVE-2020-16864

CVE-2020-16871

CVE-2020-16872

CVE-2020-16878

*Workaround: No

**Public: No

Exploited: No

Remote Code Execution

Spoofing

 

Visual Studio

Visual Studio 2012, 2013, 2015, 2017, 2019

Visual Studio Code

Critical

CVE-2020-1130

CVE-2020-1133

CVE-2020-16856

CVE-2020-16874

CVE-2020-16881

*Workaround: No

**Public: No

Exploited: No

Elevation of Privilege

Remote Code Execution

Exchange Server

Server 2016, 2019

Critical

CVE-2020-16875

*Workaround: No

**Public: No

Exploited: No

Remote Code Execution

ASP.NET

ASP.NET 2.1, 3.1

Important

CVE-2020-1045

*Workaround: No

**Public: No

Exploited: No

Security Feature Bypass

OneDrive

OneDrive for Windows

Important

CVE-2020-16851

CVE-2020-16852

CVE-2020-16853

*Workaround: No

**Public: No

Exploited: No

Elevation of Privilege

Patch data provided by:

Technology

Products Affected

Severity

Reference

Workaround/ Exploited

Vulnerability Info

Windows

Windows 8.1, RT 8.1, 10

Server 2012, 2016, 2019

Critical

CVE-2020-1471

CVE-2020-1507

CVE-2020-1532

CVE-2020-1590

CVE-2020-1592

CVE-2020-0648

CVE-2020-0664

CVE-2020-0718

CVE-2020-0790

CVE-2020-0805

CVE-2020-0837

CVE-2020-0839

CVE-2020-0914

CVE-2020-0922

CVE-2020-0928

CVE-2020-0941

CVE-2020-0951

CVE-2020-1013

CVE-2020-1034

CVE-2020-1038

CVE-2020-1039

CVE-2020-1122

CVE-2020-1130

CVE-2020-1146

CVE-2020-1169

CVE-2020-1285

CVE-2020-0997

CVE-2020-1376

CVE-2020-1491

CVE-2020-1508

CVE-2020-1559

CVE-2020-1589

CVE-2020-1593

CVE-2020-1596

CVE-2020-1598

CVE-2020-0761

CVE-2020-0766

CVE-2020-0782

CVE-2020-0836

CVE-2020-0838

CVE-2020-0856

CVE-2020-0870

CVE-2020-0875

CVE-2020-0886

CVE-2020-0890

CVE-2020-0904

CVE-2020-0908

CVE-2020-0911

CVE-2020-0912

CVE-2020-0921

CVE-2020-0989

CVE-2020-0998

CVE-2020-1030

CVE-2020-1031

CVE-2020-1033

CVE-2020-1052

CVE-2020-1053

CVE-2020-1074

CVE-2020-1083

CVE-2020-1091

CVE-2020-1097

CVE-2020-1098

CVE-2020-1115

CVE-2020-1119

CVE-2020-1129

CVE-2020-1133

CVE-2020-1152

CVE-2020-1159

CVE-2020-1228

CVE-2020-1245

CVE-2020-1250

CVE-2020-1252

CVE-2020-1256

CVE-2020-1303

CVE-2020-1308

CVE-2020-1319

CVE-2020-16854

CVE-2020-16879

*Workaround: No

**Public: No

Exploited: No

Elevation of Privilege

Information Disclosure

Remote Code Execution

Security Feature Bypass

Spoofing

Denial of Service

 

Edge

HTML-based (Legacy)

Critical

CVE-2020-0878

CVE-2020-1057

CVE-2020-1172

CVE-2020-1180

*Workaround: No

**Public: No

Exploited: No

Remote Code Execution

Edge

Chromium-Based

Important

CVE-2020-16884

 *Workaround: No

**Public: No

Exploited: No

Remote Code Execution

ChakraCore

ALL

Critical

 

CVE-2020-1180

 

*Workaround: No

**Public: No

Exploited: No

Remote Code Execution

Internet Explorer

IE 11

Critical

CVE-2020-0878

CVE-2020-1506

CVE-2020-1012

*Workaround: No

**Public: No

Exploited: No

Remote Code Execution

Elevation of Privilege

 

SQL Server

SQL Server Reporting Services 2017, 2019

Moderate

CVE-2020-1044

*Workaround: No

**Public: No

Exploited: No

Security Feature Bypass

Office, Office Services and Web Apps

Excel 2010, 2013, 2016

Office 2010, 2013, 2016, 2016 for Mac, 2019, 2019 for Mac

Online Server

Web Apps 2010, 2013

SharePoint Enterprise server 2013, 2016

SharePoint Foundation 2010, 2013

SharePoint 2010, 2019

Word 2010, 2013, 2016

OneDrive for Windows

365 Apps for Enterprise

Critical

CVE-2020-1193

CVE-2020-1198

CVE-2020-1200

CVE-2020-1205

CVE-2020-1210

CVE-2020-1218

CVE-2020-1224

CVE-2020-1227

CVE-2020-1332

CVE-2020-1335

CVE-2020-1338

CVE-2020-1345

CVE-2020-1440

CVE-2020-1452

CVE-2020-1453

CVE-2020-1460

CVE-2020-1482

CVE-2020-1514

CVE-2020-1523

CVE-2020-1575

CVE-2020-1576

CVE-2020-1594

CVE-2020-1595

CVE-2020-16851

CVE-2020-16852

CVE-2020-16853

CVE-2020-16855

*Workaround: No

**Public: No

Exploited: No

 

Elevation of Privilege

Information Disclosure

Remote Code Execution

Spoofing

Tampering

 

Dynamics

Dynamics 365

Dynamics

Dynamics 365 for Finance and Operations

Critical

CVE-2020-1182

CVE-2020-16857

CVE-2020-16858

CVE-2020-16859

CVE-2020-16860

CVE-2020-16861

CVE-2020-16862

CVE-2020-16864

CVE-2020-16871

CVE-2020-16872

CVE-2020-16878

 *Workaround: No

**Public: No

Exploited: No

Remote Code Execution

Spoofing

 

Visual Studio

Visual Studio 2012, 2013, 2015, 2017, 2019

Visual Studio Code

Critical

CVE-2020-1130

CVE-2020-1133

CVE-2020-16856

CVE-2020-16874

CVE-2020-16881

*Workaround: No

**Public: No

Exploited: No

Elevation of Privilege

Remote Code Execution

Exchange Server

Server 2016, 2019

Critical

CVE-2020-16875

*Workaround: No

**Public: No

Exploited: No

Remote Code Execution

ASP.NET

ASP.NET 2.1, 3.1

Important

CVE-2020-1045

 *Workaround: No

**Public: No

Exploited: No

Security Feature Bypass

OneDrive

OneDrive for Windows

Important

CVE-2020-16851

CVE-2020-16852

CVE-2020-16853

 *Workaround: No

**Public: No

Exploited: No

Elevation of Privilege