Otto background

Automox Experts Weigh in on September's Patch Tuesday Release

Hear what Automox Patch Tuesday experts have to say about this month’s Patch Tuesday releases. You can view a full list of the latest patches and updates from Microsoft and other third-party applications in our Patch Tuesday Index.

Justin Knapp


As many organizations continue to struggle to support the ongoing distribution of remote workers, Microsoft continues to pile on the updates this month as September delivers a massive release, patching 129 new vulnerabilities, 23 of which are critical. Finding an efficient method for rolling out these patches has become even more imperative as companies begin to abandon the idea of a short term fix and shift operations to embrace remote work as part of a lasting, long term progression of how organizations operate moving forward. While there are fortunately no zero-day surprises to worry about this month, failure to resolve these vulnerabilities in a timely fashion creates unnecessary exposure and risk at a time when attackers are looking to take advantage of a growing attack surface and exploit the additional exposure that remote workers introduce. We’re beginning to realize the negative outcomes of the lenient security measures put in place to quickly adapt to a decentralized workforce and it’s become more important than ever to establish patching policies that can securely support remote endpoints for the foreseeable future.

CVE-2020-1285 - GDI+ Remote Code Execution Vulnerability

A critical remote code execution vulnerability has been identified in the way the Windows Graphic Device Interface handles objects in memory, providing both web-based and file-sharing attack scenarios that could introduce multiple vectors for an attacker to gain control of a system. In the web-based attack scenario, an attacker would need to craft a website designed to exploit the vulnerability and then convince users to view the website. Since there’s no way to force users to view the attacker-controlled content, the attacker would need to convince users to take action, typically by getting them to open an email attachment or click a link. In the file-sharing scenario, the attacker would need to convince users to open a specially crafted file designed to exploit the vulnerability. Given the extensive list of Windows and Windows Server versions impacted and the lack of a workaround or mitigation, this is a vulnerability that should be patched immediately.

CVE-2020-16874 - Visual Studio Remote Code Execution Vulnerability

CVE-2020-16874 is a critical remote code execution vulnerability within Visual Studio. An attacker could successfully exploit this vulnerability by convincing a user to open a specially crafted file using an affected version of Visual Studio. If the compromised user is logged in with admin rights, the attacker could take control of the affected system and gain the ability to install programs; view, change, or delete data; or create new accounts with full user rights. The vulnerability exists in multiple versions of Visual Studio dating back to 2012.

CVE-2020-16875 - Microsoft Exchange Memory Corruption Vulnerability

CVE-2020-16875 introduces yet another critical remote code execution vulnerability, this time within Microsoft Exchange, that could be leveraged to run arbitrary code in the context of the System user. An attacker could exploit this vulnerability by sending a specially crafted email to a vulnerable Exchange server. While this vulnerability only affects Exchange Server versions 2016 and 2019, the broad use of Microsoft Exchange across business users and a high CVSS score of 9.1 indicates that this patch should be prioritized high on the list.

CVE-2020-1252 - Windows Remote Code Execution Vulnerability

CVE-2020-1252 is a remote code execution vulnerability that, if exploited successfully, could allow an attacker to take control of an affected system. While this vulnerability is listed as critical, successful exploitation would require the attacker to first gain access to the target system in order to run a specially crafted application.

Jay Goodman

CVE-2020-1508 // -1593 - Windows Media Audio Encoder Remote Code Execution Vulnerability

CVE-2020-1508 and CVE-2020-1593 are critical remote code execution vulnerabilities found in the Windows Media Audio Encoder. The vulnerabilities target how the encoder handles objects. An adversary could use this vulnerability in a malicious document or webpage to take control of the impacted system. Remote code execution vulnerabilities can quickly and easily allow attackers to access your organization’s network and data, make changes to data, or directly run malicious code on the exploited systems.

CVE-2020-1057 // -1172 - Scripting Engine Memory Corruption Vulnerability

CVE-2020-1057 and CVE-2020-1172 are remote code execution vulnerabilities identified in the ChakraCore scripting engine. They exploit how the engine handles objects in memory and can lead to remote code execution. ChakraCore is an open-source JavaScript engine developed specifically by Microsoft to support Microsoft’s Edge browser. Malicious actors can use this vulnerability to take control of an affected system, install programs, view or change data, or create new user accounts with full user rights. Remote code execution vulnerabilities are particularly nefarious given that they enable attackers to directly run malicious code on the exploited systems.

CVE-2020-1152 // -1245 // -0941 - Elevation of Privilege and Information Disclosure Vulnerabilities in Win32k

CVE-2020-1152, CVE-2020-1245, and CVE-2020-0941 are two elevation of privilege and one information disclosure vulnerabilities found in Win32k. The elevation of privilege exploits allow attackers who successfully exploit the vulnerability to gain elevated privileges on a target system. The information disclosure vulnerability, -0941, gives attackers additional context and data to further compromise a target system. All three vulnerabilities, while fairly innocuous on their own, can give adversaries the tools necessary to quickly accelerate a rudimentary exploit attempt into a more widespread threat on compromised systems. IT and security teams must take these important vulnerabilities into account when patching systems. Although neither are likely to lead to an incursion on their own, they provide the foundation necessary for attackers to take full control over a system or network.

Nick Colyer

CVE-2020-1452 // -1453 // -1576 // -1200 // -1210 // -1595 - Microsoft SharePoint Remote Code Execution Vulnerability

CVE-2020-1452, 1453, 1576, 1200, 1210, and 1595 are all critical remote code execution vulnerabilities identified in Microsoft SharePoint. Given the nature of the vulnerability, there are no mitigating recommendations besides patching. The result of deserializing untrusted data input, the vulnerability allows arbitrary code execution in the SharePoint application pool and server farm account. Variations of the attack such as CVE-2020-1595 (API specific), reflect the importance of patching this vulnerability to reduce the threat surface available to malicious threat actors.

CVE-2020-1460 - Microsoft SharePoint Server Remote Code Execution Vulnerability

CVE-202-1460 is a critical remote code execution vulnerability affecting Microsoft SharePoint Server. The exploit is the result of improperly identified and filtered ASP.Net web controls. Exploitation requirements are a bit more involved as a malicious threat actor must be authenticated and additionally have crafted a special SharePoint page in order to perform actions in the context of the SharePoint application pool process.

CVE-2020-1115 - Windows Common Log File System Driver Elevation of Privilege Vulnerability

CVE-2020-1115 is a privilege escalation vulnerability in the Windows Common Log File System (CLFS) driver affecting multiple Windows releases. The vulnerability is the result of how the CLFS driver interacts with objects in memory on a system. Successful exploitation of this vulnerability requires an attacker to log in and execute a maliciously crafted binary in order to elevate the privilege level.

Chris Hass

CVE-2020-0997 - Windows Camera Codec Pack Remote Code Execution Vulnerability

A memory bug exists in the Windows Camera Codec Pack, if exploited correctly, could allow an attacker to achieve remote code execution on the affected host in the context of the current logged in user. With the push to remote work, it is extremely common for IT staff to give administrative rights to alleviate some of the burden that comes with remote work. There are numerous ways an attacker could exploit this vulnerability, however, the most likely scenario would be in the form of a phishing attack with a malicious link that redirects its victims to a compromised website hosting the malicious payload.

CVE-2020-1129 // -1319 - Microsoft Windows Codecs Library Remote Code Execution Vulnerability

A couple of critical bugs have been found in Windows Codecs Library. CVE-2020-1129 and CVE-2020-1319  can be exploited simply by crafting a malicious image file and having any program process the malicious image. With the number of images being shared constantly on slack, zoom, or email, this vulnerability could prove enticing for attackers to leverage.

CVE-2020-0878 - Microsoft Browser Memory Corruption Vulnerability

A memory corruption bug found in all many Microsoft browsers including versions of Edge and Internet Explorer could be leveraged by attackers to gain remote code execution in the context of the current user. If that current user has administrative rights, the attacker could take full control of the host. Although there have been many memory corruption RCE vulnerabilities disclosed this month, Microsoft currently has around 13% of the total market share when it comes to browsers, possibly presenting enough attack surface to make it worthwhile for attackers to explore.

CVE-2020-1308 - DirectX Elevation of Privilege Vulnerability

CVE-2020-1308, a privilege escalation vulnerability affecting DirectX, is an interesting bug that will likely be leveraged by attackers in the wild. The exploitation of this vulnerability doesn’t just give you administrative rights but allows you to execute code in kernel mode, allowing users to fully compromise a host. This exploit may not provide an attacker’s initial access remotely. However, it may allow an attacker to turn a low value compromised machine into a high-value foothold for malicious activity.

Richard Melick

CVE-2020-16857 - Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability;

CVE-2020-16862 - Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability

Two critical remote code execution vulnerabilities in Microsoft Dynamics 365 have been identified and patched by Microsoft today. Impacting the on-premise servers with this finance and operations focused service installed, both exploits require a specifically created file to exploit the security vulnerability, allowing the attacker to gain remote code execution capability. More concerning with these vulnerabilities is that both CVE-2020-16857 and CVE-2020-16892, if exploited, would allow an attacker to steal documents and data deemed critical. Due to the nature and use of Microsoft Dynamics in the financial industry, a theft like this could spell trouble for any company of any size.

CVE-2020-0664 - Active Directory Information Disclosure Vulnerability;

CVE-2020-0856 - Active Directory Information Disclosure Vulnerability

More than 2.9 million organizations are using Active Directory, so when two vulnerabilities are disclosed that could allow an attacker to access sensitive information, it should be handled with great care and addressed quickly. CVE-2020-0644 and CVE-2020-0856 are only rated as important, but due to the high adoption and use of Active Directory as well as the lack of barriers for a successful attack, the likelihood of exploitation is likely. Combining this exploit with another could give an attacker all the tools they need to further exploit the victim system, giving them unprecedented access to corporate networks.

CVE-2020-0922 - Microsoft COM for Windows Remote Code Execution Vulnerability

Addressing a critical vulnerability in Microsoft Common Object Model, or COM, CVE-2020-0922 patches a security gap that would allow an attacker to execute malicious code on a victim machine. As COM is the base framework of Microsoft services like ActiveX, OLE, DirectX, and Windows Shell, if left unpatched it would give a malicious player a large target to focus on when seeking out vulnerabilities in a network. Given that the exploit can be taken advantage of through a simple malicious JavaScript or website, potentially delivered through a phishing email, it is necessary to address to minimize a network’s attack surface.

CVE-2020-0908 - Windows Text Service Module Remote Code Execution Vulnerability

Windows Text Service Module is the foundation of text input on Microsoft systems and CVE-2020-0908 is a vulnerability that could take advantage of its wide use, giving an attacker the ability to execute software on a victim machine. Specifically addressing how Windows Text Service Module handles memory, this critical remote code execution vulnerability should be addressed quickly to mitigate any easy access points for attackers.

Adobe Patches

It’s been a bit quiet on the Adobe front over the last month, but for this Patch Tuesday they did release three patches for three marketing-focused tools. Adobe Experience Manager, the online marketing and web analytics toolset, received a patch (APSB20-56) mitigating a slew of browser-based vulnerabilities that would allow arbitrary JavaScript code execution. While only a few are marked critical, as we have seen in the past, even less critical vulnerabilities are targeted and exploited to gain access to a system, which in this case, would allow an attacker to run malicious Javascript on a victim’s machine.

Two marketing collateral tools, Adobe Frame Maker and Adobe InDesign, both received critical arbitrary code execution patches (APSB20-54 and APSB20-52), closing the door on any attacker that might attempt to run a malicious script or program acting as the logged-in user.

The impact of any exploitation of these vulnerabilities, no matter their criticality, could open any organization up to the release of private information, easy lateral movement through a network, or the hijacking of critical information, all due to the heavy use of these tools in marketing and its unfettered access to critical information. It is important to patch these vulnerabilities as soon as possible.


To see all the latest details and advice on this month's Patch Tuesday, check out the Automox Patch Tuesday Rapid Response Center.

About Automox Automated Patch Management

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, macOS, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.

Dive deeper into this topic