Patch Tuesday Highlights – September 2020

Patch Tuesday Highlights – September 2020

This month’s Patch Tuesday was relatively quiet with few out-of-the-norm happenings. However, Microsoft still managed to fix 129 vulnerabilities across their range of products. Here’s our callout of updates and issues we think you’ll want to be aware of.

Interesting Fact

With the COVID-19 pandemic, many education and job-related activities have moved increasingly online. And with more daily online activities, the FBI has seen a spike in the number of cyber crimes reported to its Internet Crime Complaint Center (IC3). According to an article by Maggie Miller on The Hill website, the IC3 has been receiving 3 to 4 times its normal volume of complaints each day, equating to 3,000 to 4,000 complaints compared to its usual 1,000.

Maintaining patch currency is one of the key security practices an organization can perform to protect its devices against cyber crimes and threat actors. Providing a regular patch maintenance schedule for your devices is a must, whether the devices are located in a traditional office, a classroom, or a home office. ZENworks Patch Management, with its rules-based patch policies and flexible patch schedules, can help you maintain the patch currency you want and need.

Newsworthy Events

Quick Take

  • August Patch Tuesday resolves 129 Microsoft CVEs.
  • None of the 129 vulnerabilities has been publicly disclosed or has known exploits.
  • 32 of the vulnerabilities are remote code executions that exploit vulnerable applications over a network. 23 of these are rated Critical severity.
  • Windows 10 1607/Server 2016, Windows 10 1809 – 2004, Windows Server 2019, and Windows Server versions 1903 – 2004 have Servicing Stack Updates this month.

Windows Server 2019 Updates

  • There is a new Servicing Stack Update (KB4570332). It is not a prerequisite for September updates.
  • The cumulative update (KB4570333) resolves 73 new CVEs including 9 critical CVEs. None have public disclosures or known exploits.
  • The Cumulative Update for .NET Framework for Windows Server 2019 for x64 (KB4576627) does not resolve any vulnerabilities; however, it is rated Critical because it includes a security improvement that no longer allows ClickOnce to download applications from untrusted servers which use NTLM authentication.

Windows Server 2016 Updates

  • There is a new Servicing Stack Update (KB4576750). It is not a prerequisite for September updates.
  • The cumulative update (KB4577015) resolves 62 new CVEs, including 9 critical CVE. None have public disclosures or known exploits.
  • The Cumulative Update for .NET Framework for Windows Server 2016 for x64 (KB4576479 or KB4576482) does not resolve any vulnerabilities; however, it is rated Critical because it includes a security improvement that no longer allows ClickOnce to download applications from untrusted servers which use NTLM authentication.

Windows 10 Updates

  • There is a new Servicing Stack Update (KB number varies by version) for version 1607 and versions 1809 through 2004. It is not a prerequisite for September updates.
  • The cumulative update (KB number varies by version) resolves up to 85 CVEs depending on the version including 9 critical CVEs. None have public disclosures or known exploits
  • The Cumulative Update for .NET Framework for Windows 10 (KB number varies by version) does not resolve any vulnerabilities; however, it is rated Critical because it includes a security improvement that no longer allows ClickOnce to download applications from untrusted servers which use NTLM authentication.

Windows 8.1 / Windows Server 2012 R2 Updates

  • The Security Monthly Quality Rollup (KB4577066) resolves 47 new CVEs including 6 critical CVEs; and 3 new Internet Explorer 11 CVEs. None have public disclosures or known exploits.
  • The Security Only Quality Update (KB4577071) resolves 47 new CVEs including 6 critical CVEs. None have public disclosures or known exploits.
  • The Security Update for Internet Explorer 11 (KB4577010) resolves 3 new CVEs. Apply it with the Security Only Quality Update (KB4577071). It is not needed with the Security Monthly Quality Rollup (KB4577066).
  • The Security Only Update (or Security and Quality Rollup) for .NET Framework for Windows 8.1 and Server 2012 R2 (KB4576489 and KB4576630) does not resolve any vulnerabilities; however, it is rated Critical because it includes a security improvement that no longer allows ClickOnce to download applications from untrusted servers which use NTLM authentication.

Windows Server 2012 Updates

  • The Security Monthly Quality Rollup (KB4577038) resolves 45 new and 3 new Internet Explorer 11 CVEs. None have public disclosures or known exploits.
  • The Security Only Quality Update (KB4577048) resolves 45 new. None have public disclosures or known exploits.
  • The Security Update for Internet Explorer 11 (KB4577010) resolves 3 new CVEs. Apply it with the Security Only Quality Update (KB4577048). It is not needed with the Security Monthly Quality Rollup (KB4577038).
  • The Security Only Update (or Security and Quality Rollup) for .NET Framework for Windows Server 2012 (KB4576488 and KB4576629) does not resolve any vulnerabilities; however, it is rated Critical because it includes a security improvement that no longer allows ClickOnce to download applications from untrusted servers which use NTLM authentication.

Windows 7 / Windows Server 2008 R2 Extended Security Updates

  • These updates can only be installed on devices that have an active ESU MAK license.
  • In ZENworks Patch Management, these updates only show up in the feed if you have purchased the ZENworks Patch Management Add-On Subscription for Windows 7 / Windows Server 2008 Extended Security Updates. Otherwise, you must download them from the Microsoft Update Catalog and use the Custom Patch feature to create the patch. For more details, see Installing Windows 7 / Windows Server 2008 Extended Security Updates with ZENworks Patch Management.
  • The Security Monthly Quality Rollup (KB4577051) resolves 39 new CVEs including 6 critical CVEs; and 3 new Internet Explorer 11 CVEs. None have public disclosures or known exploits.
  • The Security Only Quality Update (KB4577053) resolves 39 new CVEs. None have public disclosures or known exploits.
  • The Security Update for Internet Explorer 11 (KB4577010) resolves 3 new CVEs. Apply it with the Security Only Quality Update (KB4577053). It is not needed with the Security Monthly Quality Rollup (KB4577051).
  • The Security Only Update (or Security and Quality Rollup) for .NET Framework for Windows 7 / Windows Server 2008 R2 (KB4576628 and KB4576490) does not resolve any vulnerabilities; however, it is rated Critical because it includes a security improvement that no longer allows ClickOnce to download applications from untrusted servers which use NTLM authentication.

Windows Server 2008 Extended Security Updates

  • These updates can only be installed on devices that have an active ESU MAK license.
  • In ZENworks Patch Management, these updates only show up in the feed if you have purchased the ZENworks Patch Management Add-On Subscription for Windows 7 / Windows Server 2008 Extended Security Updates. Otherwise, you must download them from the Microsoft Update Catalog and use the Custom Patch feature to create the patch. For more details, see Installing Windows 7 / Windows Server 2008 Extended Security Updates with ZENworks Patch Management.
  • The Security Monthly Quality Rollup (KB4577064) resolves 38 new CVEs including 10 critical CVEs; and 1 new Internet Explorer 9 CVEs. None have public disclosures or known exploits.
  • The Security Only Quality Update (KB4577070) resolves 38 new CVEs including 10 critical CVEs. None have public disclosures or known exploits.
  • The Security Update for Internet Explorer 9 (KB4577010) resolves 1 new CVEs. Apply it with the Security Only Quality Update (KB4577070). It is not needed with the Security Monthly Quality Rollup (KB4577064).
  • The Security Only Update (or Security and Quality Rollup) for .NET Framework for Windows Server 2008 (KB4576612 and KB4576631) does not resolve any vulnerabilities; however, it is rated Critical because it includes a security improvement that no longer allows ClickOnce to download applications from untrusted servers which use NTLM authentication.

Microsoft SharePoint Server

  • The monthly Security Updates resolve 20 CVEs (including 7 critical CVEs) across Enterprise Server 2013 & 2016, Foundation Server 2013, and SharePoint Server 2010. None have public disclosures or known exploits.

Microsoft Office 2010–2016 (Windows) and 2016-2019 (Mac)

  • The Security Update resolves up to 8 new CVEs depending on the version. None have public disclosures or known exploits. The maximum severity is Critical.

Microsoft 365 Apps (formerly Office 365 ProPlus) and Office 2019

  • Each channel update resolves up to 7 new CVEs depending on the version. None have public disclosures or known exploits. The maximum severity is Critical.

Google Chrome

  • Chrome 85.0.4183.83 (released August 25, 2020) resolves 20 new CVEs, including 2 High impact CVEs. None have public disclosures or known exploits.

Mozilla Firefox

  • Firefox 80.0 (released August 25, 2020) resolves 10 vulnerabilities including 3 High impact CVEs. None have public disclosures or known exploits.
  • Firefox ESR 68.12.0 and Firefox ESR 78.2.0 (released August 25, 2020) resolve 3 new CVEs. All 3 are High impact. None have public disclosures or known exploits.

Mozilla Thunderbird

  • Thunderbird 78.2.0 (released August 25, 2020) resolves 3 new CVEs. All 3 are High impact. None have public disclosures or known exploits.

Microsoft Edge

  • Microsoft Edge Stable Channel 85.0.564.51 (released September 9, 2020) resolves 4 new CVEs. All 4 are High severity. None have public disclosures or known exploits.
Labels (2)

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
2 of 2
Last update:
‎2020-09-11 19:26
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.