In September’s edition of Microsoft Patch Tuesday, the company has released nearly 130 patches for various security vulnerabilities found in Windows OS and related software.
This is the seventh month in a row in which Microsoft has provided more than 100 security patches for its products.
The great news is that there is no record of any of them being actively exploited.
That said, 23 of these can be used to gain control over a victim’s computer without any further assistance.
Starting with CVE-2020-16875, this one is concerned with the email software Microsoft Exchange Server 2016 and 2019.
The vulnerability is rated as critical.
To exploit it, an attacker only needs to send a booby-trapped email to a vulnerable email exchange server.
If successful, the attacker can proceed to run any code of their choosing.
Moving on, we have CVE-2020-1210, a remote code execution flaw that is present in document management software Microsoft Sharepoint.
An attacker could capitalise on this one by uploading an infected file to a vulnerable Sharepoint site.
According to Tenable, a cyber security company, this vulnerability has a close resemblance to CVE-2019-0604, which has been exploited since April 2019.
Allan Liska, Threat Intel Analyst at Recorded Future, emphasised the danger that Sharepoint security flaws represent to enterprises as those who spread ransomware have been known to take advantage of them.
In addition to fixes for Microsoft products, this month’s Patch Tuesday comes with fixes for Google’s Chrome browser, patching five flaws of high severity.
If Chrome is currently running on your computer, closing and reopening it should apply the updates automatically.
It is worth noting that Adobe Flash Player has not received an update since June 2020, which suggests that attackers might have stopped looking for ways to exploit it.
It will be retired by the end of 2020.