This month Microsoft released patches for 129 vulnerabilities with 23 rated “Critical” and 105 “Important” in severity.

 

All patches have been approved in our patch policy.

September is another big month patching 129 vulnerabilities.  No zero-day patches. None are publicly known or being exploited. Most concerning this month is a remote code execution (RCE) vulnerability in Microsoft Exchange server (CVE-2020-16875). There are 5 RCE vulnerabilities patched in Microsoft SharePoint. The SharePoint patches have some known issues outlined below. We have also seen reports that Bitdefender may block update KB4574727. Two updated Security Advisories (ADV990001 and ADV200002) addressing Servicing Stack Updates and Chromium.

 

Good News! Monthly SSU update may no longer be necessary

Simplifying on-premises deployment of servicing stack updates

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-on-premises-deployment-of-servicing-stack-updates/ba-p/1646039

 

Special Deny KB4023057

This update was re-released in late August. It is a Windows 10 “for update reliability” and we don’t trust it. In the past Microsoft has not been forthcoming about many of their releases affecting the update processes in Windows 10. KB4023057 was originally released a few years ago as an “Optional Update” and has progressed to the current “High Priority Critical Update”. The urgency is entirely Microsoft’s. They really want you to install this.  Again Microsoft is vague about exactly what KB4023057 does but we have read reports that it will overwrite any current Windows Update setting you have applied. It can also help Windows Update Assistant update the machine to the latest version of Windows 10. So it can undo your ability to manage patches and spontaneously upgrade Windows 10 to the newest version.

With that said KB4023057 does have some beneficial features that will evaluate a machine’s readiness for new versions of Windows 10 and facilitate the upgrade process. If you are having trouble upgrading to a newer version of Windows 10, this can be a useful tool to install – otherwise we do not recommend installing it.

 

Disclosed: None

Exploited: None

 

Security Update Guide

https://portal.msrc.microsoft.com/en-us/security-guidance

 

Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com

 

Affected software include:

• Microsoft Windows
• Microsoft Edge (EdgeHTML-based)
• Microsoft Edge (Chromium-based)
• Microsoft ChakraCore
• Internet Explorer
• SQL Server
• Microsoft JET Database Engine
• Microsoft Office and Microsoft Office Services and Web Apps
• Microsoft Dynamics
• Visual Studio
• Microsoft Exchange Server
• SQL Server
• ASP.NET
• Microsoft OneDrive
• Azure DevOps

 

Microsoft Security Advisories

 

ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:09/08/2020)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001

Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.

 

ADV200002 | Chromium Security Updates for Microsoft Edge (Chromium-Based) (Published:01/28/2020 | Last Updated:09/10/2020)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200002

This advisory will be updated whenever Microsoft releases a version of Microsoft Edge (Chromium-based) which incorporates publicly disclosed security updates from the Chromium project. Microsoft will document separately any vulnerabilities in Microsoft Edge (Chromium-based), that are not in Chromium, under a Microsoft-assigned CVE number.

 

Known Issues

Some problems with the SharePoint patches. Microsoft Edge Legacy may have trouble reaching websites. Microsoft continues to report issues using their IMEs on Windows 10. The link to the fix is listed below. Also Bitdefender may block KB4574727 for Windows 10 1903.

 

Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.

 

Security update for SharePoint (KB4484488/KB4484515/KB4486667)

Applies to: SharePoint Foundation 2013/Enterprise Server 2013/Foundation 2010

Security updates for SharePoint pages may not render

Symptoms: After you install this update, some SharePoint pages may not render, and may generate the following error message:

“Web Part Error: A Web Part or Web Form Control on this Page cannot be displayed or imported. The type could not be found or it is not registered as safe.”

To resolve this issue, see KB 4572409.

Mitigation: SharePoint pages do not render when using unsafe controls

https://support.microsoft.com/en-us/help/4572409/sharepoint-pages-not-render-when-using-unsafe-controls

 

Error using Microsoft Edge Legacy (KB4570333)

https://support.microsoft.com/en-us/help/4570333/windows-10-update-kb4570333

Applies to: Windows 10 1809, Windows Server 2019

Symptoms: After installing KB4550969 or later, when using Microsoft Edge Legacy, you might receive the error,”0x80704006. Hmmmm…can’t reach this page” when attempting to reach websites on non-standard ports. Any website that uses a port listed in the Fetch Standard specification under bad ports or port blocking might cause this issue.

Mitigation: See above link for KB4570333

Fix: We are working on a resolution and will provide an update in an upcoming release.

 

You might have issues on Windows 10, version 2004 when using some Microsoft IMEs

https://support.microsoft.com/en-us/help/4564002/you-might-have-issues-on-windows-10-version-2004-when-using-some-micro

 

Other Known Issues

Bit Defender blocking windows update KB4574727

https://community.bitdefender.com/en/discussion/82835/bit-defender-blocking-windows-update-kb4574727?awc=15520_1599830919_0f4b6b7d1b9bcf4ba8f4ec87adab290f

 

Good resource for known issues with Windows 10 patches. Click on the version in the left column for the status of known issues.

Windows 10 release information

https://docs.microsoft.com/en-us/windows/release-information/

 

Monthly Rollup/Security Only/Windows 10/Server 2016,2019 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

 

Security and Quality Rollup

• KB4577051 – Windows 7, Windows Server 2008 R2 (ESU)
• KB4577066 – Windows 8.1, Windows Server 2012 R2
• KB4577038 – Windows Server 2012
• KB4577064 – Windows Server 2008 (ESU)

 

Security Only Update

• KB4577053 – Windows 7, Windows Server 2008 R2 (ESU)
• KB4577071 – Windows 8.1, Windows Server 2012 R2
• KB4577048 – Windows Server 2012
• KB4577070 – Windows Server 2008 (ESU)

 

Cumulative Update for Windows 10

• KB4577049 – Original release version 1507 (OS Build 10240)
• None – Version 1511 (OS Build 10586)
• KB4577015 – Version 1607 “Anniversary Update” (OS Build 14393)
• KB4577021 – Version 1703 “Creators Update” (OS Build 15063)
• KB4577041 – Version 1709 “Fall Creators Update” (OS Build 16299)
• KB4577032 – Version 1803 “Spring Creators Update” (OS Build 17134)
• KB4570333 – Version 1809 “October 2018 Update” (OS Build 17763)
• KB4574727 – Version 1903 “May 2019 Update” (OS Build 18362)
• KB4574727 – Version 1909 “November 2019 Update” (OS Build 18363)
• KB4571756 – Version 2004 “May 2020 Update” (OS Build 19041)

Note: Server 2016 uses the same KB as Windows 10 Version 1607. Server 2019 uses the same KB as Windows 10 Version 1809.

 

KB4577010 – Cumulative Security Update for Internet Explorer 9/10/11

This cumulative update is included in the monthly updates listed above. It can be installed instead of the monthly to secure Internet Explorer otherwise it is “superseded” by the monthly update.

 

None – Security Update for Adobe Flash Player

 

September 2020 updates for Microsoft Office

https://support.microsoft.com/en-us/help/4576653/september-2020-updates-for-microsoft-office

 

Notable CVEs

 

CVE-2020-1200 | Microsoft SharePoint Remote Code Execution Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1200

Same issues: CVE-2020-1200, CVE-2020-1210, CVE-2020-1452, CVE-2020-1453, CVE-2020-1576

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.

Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.

The security update addresses the vulnerability by correcting how SharePoint checks the source markup of application packages.

 

CVE-2020-1252 | Windows Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1252

A remote code execution vulnerability exists when Windows improperly handles objects in memory. To exploit the vulnerability an attacker would have to convince a user to run a specially crafted application.

An attacker who successfully exploited this vulnerability could execute arbitrary code and take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The updates address the vulnerability by correcting how Windows handles objects in memory.

 

CVE-2020-16875 | Microsoft Exchange Server Remote Code Execution Vulnerability (KB4577352)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-16875

A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet arguments.

An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. Exploitation of the vulnerability requires an authenticated user in a certain Exchange role to be compromised.

The security update addresses the vulnerability by correcting how Microsoft Exchange handles cmdlet arguments.