For the first time since March, Microsoft fixed fewer than 100 vulnerabilities across its range of products. However, six of those vulnerabilities are already publicly disclosed so you’ll want to patch those as quickly as possible. Here’s our callout of security updates and issues we think you’ll want to be aware of.

Newsworthy Events

• Six publicly disclosed vulnerabilities this month: CVE-2020-16885, CVE-2020-16901, CVE-2020-16908, CVE-2020-16909, CVE-2020-16937, CVE-2020-16938. All vulnerabilities have patches, but publicly disclosed means that enough information, examples, or proof-of-concept information has already been released publicly to give threat actors a head start on exposing the vulnerability. You should patch publicly disclosed vulnerabilities as quickly as possible, ideally within 14 days of patch release.
• ZeroLogon (CVE-2020-1472), a vulnerability in the cryptography of Microsoft’s Netlogon process that allows attacks against AD domain controllers, is being actively exploited. Microsoft has provided guidance for protecting your environment.
• CVE-2020-16947 is a Microsoft Outlook Remote Code Execution Vulnerability that could allow code execution on affected versions of Outlook by viewing a specially-crafted email in the Preview Pane. Users do not even have to open the email as the Preview Pane is the act vector. While this vulnerability is not publicly disclosed, ZDI reports that it has a working proof-of-concept and recommends that you patch this vulnerability as quickly as possible.
• Adobe Flash Player general end-of-life is December 31^st.

Quick Take

• Fewer than 100 CVEs (87) for the first time since March of this year.
• Servicing Stack Updates this month: Windows Server 2008, Windows 7/Server 2008 R2, Window Server versions 1803 and 1903 – 1909, Windows Server 2019, and Windows 10 1803 – 1909.

Windows Server 2019 Updates

• There is a new Servicing Stack Update (KB4579976). It is not a prerequisite for October updates.
• The cumulative update (KB4577668) resolves 48 new CVEs including 5 critical CVEs. Two have public disclosures: (CVE-2020-16885 and CVE-2020-16909).
• The Cumulative Update for .NET Framework for Windows Server 2019 for x64 (KB4579976) resolves one publicly disclosed vulnerability (CVE-2020-16937).

Windows Server 2016 Updates

• The cumulative update (KB4580346) resolves 38 new CVEs, including 4 critical CVE. Two have public disclosures: (CVE-2020-16885 and CVE-2020-16909).
• The Cumulative Update for .NET Framework for Windows Server 2016 for x64 (KB4578969 or KB4578972) resolves one publicly disclosed vulnerability (CVE-2020-16937).

Windows 10 Updates

• There is a new Servicing Stack Update (KB number varies by version) for versions 1803 through 1909. It is not a prerequisite for October updates.
• The cumulative update (KB number varies by version) resolves up to 53 CVEs depending on the version including 7 critical CVEs. Five of the vulnerabilities have been publicly disclosed: (CVE-2020-16885, CVE-2020-16901, CVE-2020-16908, CVE-2020-16909, and CVE-2020-16938).
• The Cumulative Update for .NET Framework for Windows 10 (KB number varies by version) resolves one publicly disclosed vulnerability (CVE-2020-16937 or CVE-2020-16938).

Windows 8.1 / Windows Server 2012 R2 Updates

• The Security Monthly Quality Rollup (KB4580347) resolves 20 new CVEs including 3 critical CVEs. None have public disclosures or known exploits.
• The Security Only Quality Update (KB4580358) resolves 20 new CVEs including 3 critical CVEs. None have public disclosures or known exploits.
• The Security Only Update (KB4566468 and KB4580469) or Security and Quality Rollup (KB4579979) for .NET Framework for Windows 8.1 and Server 2012 R2 resolves one publicly disclosed vulnerability (CVE-2020-16937).

Windows Server 2012 Updates

• The Security Monthly Quality Rollup (KB4580382) resolves 18 new CVEs, including 3 critical CVEs. None have public disclosures or known exploits.
• The Security Only Quality Update (KB4580353) resolves 18 new CVEs, including 3 critical CVEs. None have public disclosures or known exploits.
• The Security Only Update (or Security and Quality Rollup) for .NET Framework for Windows Server 2012 (KB4580468 and KB4579978) resolves one publicly disclosed vulnerability (CVE-2020-16937).

Windows 7 / Windows Server 2008 R2 Extended Security Updates

• These updates can only be installed on devices that have an active ESU MAK license.
• In ZENworks Patch Management, these updates only show up in the feed if you have purchased the ZENworks Patch Management Add-On Subscription for Windows 7 / Windows Server 2008 Extended Security Updates. Otherwise, you must download them from the Microsoft Update Catalog and use the Custom Patch feature to create the patch. For more details, see Installing Windows 7 / Windows Server 2008 Extended Security Updates with ZENworks Patch Management.
• There is a new Servicing Stack Update (KB4580970). It is not a prerequisite for October updates.
• The Security Monthly Quality Rollup (KB4580345) resolves 23 new CVEs including 2 critical CVEs. None have public disclosures or known exploits.
• The Security Only Quality Update (KB4580387) resolves 23 new CVEs including 2 critical CVEs. None have public disclosures or known exploits.
• The Security Only Update (KB4566466 and KB4580467) or Security and Quality Rollup (KB4579977) for .NET Framework for Windows 8.1 and Server 2012 R2 resolves one publicly disclosed vulnerability (CVE-2020-16937).

Windows Server 2008 Extended Security Updates

• These updates can only be installed on devices that have an active ESU MAK license.
• In ZENworks Patch Management, these updates only show up in the feed if you have purchased the ZENworks Patch Management Add-On Subscription for Windows 7 / Windows Server 2008 Extended Security Updates. Otherwise, you must download them from the Microsoft Update Catalog and use the Custom Patch feature to create the patch. For more details, see Installing Windows 7 / Windows Server 2008 Extended Security Updates with ZENworks Patch Management.
• There is a new Servicing Stack Update (KB4580971). It is not a prerequisite for October updates.
• The Security Monthly Quality Rollup (KB4580378) resolves 14 new CVEs including 2 critical CVEs. None have public disclosures or known exploits.
• The Security Only Quality Update (KB4580385) resolves 14 new CVEs including 2 critical CVEs. None have public disclosures or known exploits.
• The Security Only Update (or Security and Quality Rollup) for .NET Framework for Windows Server 2008 (KB4566469 and KB4579980) resolves one publicly disclosed vulnerability (CVE-2020-16937).

Microsoft SharePoint Server

• The monthly Security Updates resolve 11 CVEs (including 7 critical CVEs) across Enterprise Server 2013 & 2016, Foundation Server 2013, and SharePoint Server 2010. None have public disclosures or known exploits.

Microsoft Office 2010–2016 (Windows) and 2016-2019 (Mac)

• The Security Update resolves up to 8 new CVEs depending on the version. None have public disclosures or known exploits. The maximum severity is Critical.

Microsoft 365 Apps (formerly Office 365 ProPlus) and Office 2019

• Each channel update resolves up to 13 new CVEs depending on the version. None have public disclosures or known exploits. The maximum severity is Critical.

Adobe Flash Player

• The Security Update (all Windows versions) resolves one critical CVE (CVE-2020-9746). It is not publicly disclosed or known exploited