September 2020 Patch Tuesday – 129 Vulnerabilities, 23 Critical, SharePoint, Exchange, Windows Codecs, Adobe Vulns

This month’s Microsoft Patch Tuesday addresses 129 vulnerabilities with 23 of them labeled as Critical. The 23 Critical vulnerabilities cover SharePoint, Exchange, Dynamics 365, Windows Codecs, and several other workstation vulnerabilities. Adobe released patches today for Experience Manager, Framemaker, and InDesign.

Workstation Patches

Continuing the trend, today’s Patch Tuesday fixes many vulnerabilities that would impact workstations. The Windows Codecs, GDI+, Browser, COM, and Text Service Module vulnerabilities should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.

SharePoint RCEs

Microsoft patched seven vulnerabilities in SharePoint that could lead to Remote Code Execution. Five of these vulnerabilities (CVE-2020-1200, CVE-2020-1210, CVE-2020-1452, CVE-2020-1453, CVE-2020-1576) involve uploading a malicious application package, and one (CVE-2020-1460) involves user-created content. The remaining vulnerability (CVE-2020-1595) is a deserialization vulnerability in SharePoint APIs. Because of this, it is highly recommended to prioritize these patches across all SharePoint deployments.

Exchange RCE

Microsoft also patched a Remote Code Execution vulnerability in Exchange (CVE-2020-16875), which would allow an attacker to run code as System by sending a malicious email. Microsoft does rank this as “Exploitation Less Likely,” but due to the open attack vector, this patch should be prioritized on all Exchange Servers.

Dynamics 365

Microsoft also patched two RCEs (CVE-2020-16857, CVE-2020-16862) in the on-prem version of Dynamics 365, the latter of which appears to be SQL injection. Any on-prem Dynamics 365 should have these patches prioritized.


Adobe issued patches today covering multiple vulnerabilities in Experience Manager, Framemaker, and InDesign. The patches for Experience Manager are labeled as Priority 2, while the remaining patches are set to Priority 3.

While none of the vulnerabilities disclosed in Adobe’s release are known to be Actively Attacked today, all patches should be prioritized on systems with these products installed.

About Patch Tuesday

Patch Tuesday QIDs are published at Security Alerts, typically late in the evening of Patch Tuesday.

This post was first first published on Qualys Security Blog’ website by Jimmy Graham. You can view it by clicking here