Patch Tuesday September 2020

As part of this month’s Patch Tuesday, Microsoft today released a fresh batch of security updates to fix a total of 129 newly discovered security vulnerabilities affecting various versions of its Windows operating systems and related software.

23 are listed as critical, 105 are important, and one is moderate in severity

None of the security vulnerabilities the tech giant patched in September are listed as being publicly known or under active attack at the time of release or at least not in knowledge of Microsoft.

A memory corruption vulnerability (CVE-2020-16875) in Microsoft Exchange software is worth highlighting all the critical flaws. The exploitation of this flaw could allow an attacker to run arbitrary code at the SYSTEM level by sending a specially crafted email to a vulnerable Exchange Server.

“A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory,” Microsoft explains. “An attacker could then install programs; view, change, or delete data; or create new accounts.”

Microsoft also patched two critical remote code execution flaws in Windows Codecs Library; both exist in the way that Microsoft Windows Codecs Library handles objects in memory, but while one (CVE-2020-1129) could be exploited to obtain information to compromise the user’s system further, the other (CVE-2020-1319) could be used to take control of the affected system.

Besides these, two remote code execution flaws affect the on-premises implementation of Microsoft Dynamics 365, but both require the attacker to be authenticated.

Microsoft also patched six critical remote code execution vulnerabilities in SharePoint and one in SharePoint Server. While exploiting the vulnerability in SharePoint Server requires authentication, other flaws in SharePoint do not.

Other critical flaws the tech giant patched this month reside in Windows, Windows Media Audio Decoder, Windows Text Service Module, Windows Camera Codec Pack, Visual Studio, Scripting Engine, Microsoft COM for Windows, Microsoft Browser, and Graphics Device Interface.

Most of these vulnerabilities allow information disclosure, the elevation of privilege, and cross-Site Scripting. Some also lead to remote code execution attacks. In contrast, others allow security feature bypass, spoofing, tampering, and denial of service attacks.

Windows users and system administrators are highly advised to apply the latest security patches as soon as possible to keep cybercriminals and hackers away from taking control of their computers.
For installing security updates, head on to Settings → Update & security → Windows Update → Check for updates or install the updates manually.

Patch Tuesday Preview September 2020

There were some reported issues on the Windows 10 version 1903, 1909, and 2004 updates. Applying the updates for KB 4565351 or KB 4566782 resulted in a failure for many users on automatic updates with return codes/explanations that were not very helpful. Mitigation to these issues will be released

Reminder for the EOL of Windows Embedded Standard 7 coming up on October Patch Tuesday. Microsoft will offer continued support for critical and important security updates just like they did for Windows 7 and Server 2008.

These updates will be available for three years through October 2023. Microsoft also provided an update on the ‘sunset’ of the legacy Edge browser in March 2021.

Microsoft 365 apps and services will no longer support IE 11 starting in August 2021. They made it clear IE 11 is not going away anytime soon, but the new Edge is required for a modern browser experience.

September 2020 Patch Tuesday forecast

  • Standard operating system updates, with the large Office and individual application updates release last month expect both smaller and more limited set this time.
  • Service stack updates (SSUs) are hit or miss each month. The last required update was released in May. Expect to see a few in the mix once again.
  • Google Chrome 85 was released earlier week, but we may see a security release if they have any last-minute fixes for us.
  • Mozilla security update for Firefox and Thunderbird. The last security release was back on August 25.

Remote security management of both company-provided and user-attached systems provides many challenges. With a projected light set of updates this month, hopefully tying up valuable bandwidth isn’t one of those challenges.

Chrome 85 ! With 20 fixes

Chrome 85 was released in the stable version with 20 security fixes inside, including patches for 14 vulnerabilities disclosed by external researchers.

The first of them, CVE-2020-6558, an insufficient policy enforcement in iOS.The second, CVE-2020-6559, a use-after-free in the presentation API.

Seven medium severity bugs reported by external researchers were patched in this Chrome release, including an inappropriate implementation in Content, four insufficient policy enforcements (in autofill, Blink, intent handling, and media), and two incorrect security UI issues (in permissions and Omnibox).

The five low risk flaws reported externally include insufficient validation of untrusted input in command line handling, insufficient policy enforcement in intent handling, integer overflow in WebUSB, side-channel information leakage in WebRTC, and incorrect security UI in Omnibox.

Although Google doesn’t mention it, earlier this week, Cisco published information on another high severity flaw that was addressed in Chrome 85, namely CVE-2020-6492 (CVSS score of 8.3).

The issue, described as use-after-free read, exists when “a WebGL component fails to properly handle objects in memory,” Cisco explains. An attacker able to successfully exploit the vulnerability could execute arbitrary code in the context of the browser process.

Cisco’s security researchers identified the bug in Chrome 81.0.4044.138 (Stable), Chrome 84.0.4136.5 (Dev), and Chrome 84.0.4143.7 (Canary), and say that Chrome 85 addresses the issue.

“This vulnerability specifically exists in ANGLE, a compatibility layer between OpenGL and Direct3D that Chrome uses on Windows systems. An adversary could manipulate the memory layout of the browser in a way that they could gain control of the use-after-free exploit, which could ultimately lead to arbitrary code execution,” .

The latest Chrome iteration is rolling out to Windows, Mac and Linux users as version 85.0.4183.83.

Active Directory ! Heart of business. Proper DR plan

Active directory as the name suggest, if business need to be active then active directory should be actively protected with proper care.

Business vitality depends on AD. each and every details from login info, Email info , relied strongly on AD. As so it’s vital we should maintain a proper hygiene way to secure it from external attacks, since we have a long history of foreign intrudes contaminating, encrpting and erasing info

As the gatekeeper to critical applications and data in 90% of organization’s worldwide, AD has become a prime target for widespread cyberattacks that have crippled businesses and wreaked havoc on governments and non-profit organization

If in case of a disaster happen there should be an escape route to restore it. Key considerations are elobarated

  • Minimize Active Directory’s attack surface: Lock down administrative access to the Active Directory service by implementing administrative tiering and secure administrative workstations, apply recommended policies and settings, and scan regularly for misconfigurations – accidental or malicious – that potentially expose your forest to abuse or attack.
  • Monitor Active Directory for signs of compromise and roll back unauthorized changes: Enable both basic and advanced auditing and periodically review key events via a centralized console. Monitor object and attribute changes at the directory level and changes shared across domain controllers.
  • Implement a scorched-earth recovery strategy in the event of a large-scale compromise: Widespread encryption of your network, including Active Directory, requires a solid, highly automated recovery strategy that includes offline backups for all your infrastructure components as well as the ability to restoring from backup s without reintroducing any malware that might be on them.