08
Sep 20

Microsoft Patch Tuesday, Sept. 2020 Edition

Microsoft today released updates to remedy nearly 130 security vulnerabilities in its Windows operating system and supported software. None of the flaws are known to be currently under active exploitation, but 23 of them could be exploited by malware or malcontents to seize complete control of Windows computers with little or no help from users.

The majority of the most dangerous or “critical” bugs deal with issues in Microsoft’s various Windows operating systems and its web browsers, Internet Explorer and Edge. September marks the seventh month in a row Microsoft has shipped fixes for more than 100 flaws in its products, and the fourth month in a row that it fixed more than 120.

Among the chief concerns for enterprises this month is CVE-2020-16875, which involves a critical flaw in the email software Microsoft Exchange Server 2016 and 2019. An attacker could leverage the Exchange bug to run code of his choosing just by sending a booby-trapped email to a vulnerable Exchange server.

“That doesn’t quite make it wormable, but it’s about the worst-case scenario for Exchange servers,” said Dustin Childs, of Trend Micro’s Zero Day Initiative. “We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, and that requires authentication. We’ll likely see this one in the wild soon. This should be your top priority.”

Also not great for companies to have around is CVE-2020-1210, which is a remote code execution flaw in supported versions of Microsoft Sharepoint document management software that bad guys could attack by uploading a file to a vulnerable Sharepoint site. Security firm Tenable notes that this bug is reminiscent of CVE-2019-0604, another Sharepoint problem that’s been exploited for cybercriminal gains since April 2019.

Microsoft fixed at least five other serious bugs in Sharepoint versions 2010 through 2019 that also could be used to compromise systems running this software. And because ransomware purveyors have a history of seizing upon Sharepoint flaws to wreak havoc inside enterprises, companies should definitely prioritize deployment of these fixes, says Alan Liska, senior security architect at Recorded Future.

Todd Schell at Ivanti reminds us that Patch Tuesday isn’t just about Windows updates: Google has shipped a critical update for its Chrome browser that resolves at least five security flaws that are rated high severity. If you use Chrome and notice an icon featuring a small upward-facing arrow inside of a circle to the right of the address bar, it’s time to update. Completely closing out Chrome and restarting it should apply the pending updates.

Once again, there are no security updates available today for Adobe’s Flash Player, although the company did ship a non-security software update for the browser plugin. The last time Flash got a security update was June 2020, which may suggest researchers and/or attackers have stopped looking for flaws in it. Adobe says it will retire the plugin at the end of this year, and Microsoft has said it plans to completely remove the program from all Microsoft browsers via Windows Update by then.

Before you update with this month’s patch batch, please make sure you have backed up your system and/or important files. It’s not uncommon for Windows updates to hose one’s system or prevent it from booting properly, and some updates even have known to erase or corrupt files.

So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

Tags: , , , , , , , , , , ,

53 comments

  1. I downloaded updates on my laptop yesterday and now everything is running slow. It also is taking about 3-5 minutes to start up. I’m attempting to uninstall updates from 9/22/2020. I hope it doesn’t screw everything up. It was running perfectly before 9/22. I performed all of the typical things one would recommend to make boot-up faster, and ran anti-malware and other utilities.

    • Kris (and others), I have occasionally experienced that slowness after an install of patches or an update to the next Windows 10 release.

      What has worked for me is to let everything run for about 30 minutes, then doing a full shutdown (and power off), and then reboot. No uninstallation of anything.

      After that second reboot, things are back running properly. There seem to be a set of background processes that are executing related to updating the Windows cache after an upgrade — especially when lots of files have changed — and it can cause performance impact for a while.

      I’ve often found that after about two or so hours on older systems, when this issue has occurred (which has not be frequently for me at all), the issue is resolved as well, but if you need to use the machine sooner, shut it down fully, and then restart it normally and it should be fine.

      -ASB

  2. The last Windows update corrupted computer and caused it to crash. NOT HAPPY!!!

  3. HAD AUTO UPDATE. TURNED COMPUTER ON AND IT CONKED OUT SEVERAL TIMES. REBOOTED ROUTER BUT PROBLEM PERSISTED. CALLED VERIZON AND AUTO REMOTE FIXING WORKED. WHEN ALL CAME BACK IT WAS SLIGHTLY DIFFERENT THAN BEFORE WITH PROPER WIRELESS WI-FI DISPLAYED . CAN YOU TELL I’M A COMPUTER ILLITERATE BY ABOVE BUT EVERYTHING IS O.K. NOW.

Leave a comment