Software Security Update: September 2020 Patch Tuesday

While there are no public disclosures or exploited CVEs this month, there are a few issues to be concerned about.


Microsoft has resolved 129 Common Vulnerabilities and Exposers (CVEs) as part of this month’s Patch Tuesday update. While there are no Exploited or Publicly Disclosed vulnerabilities this month there are 23 Critical CVEs. Most of the Critical CVEs affect the Windows OS and browsers. There are seven Critical CVEs on SharePoint this month as well.

While there are no public disclosures or exploited CVEs this month, there are a few issues to be concerned about. Microsoft SharePoint has a number of Critical vulnerabilities this month including CVE-2020-1210 which has a CVSS score of 9.9. Microsoft Exchange has one CVE with a CVSS score of 9.1 (CVE-2020-16875) which could allow remote code execution if an attacker sends a specially crafted email to the affected Exchange Server. Also, CVE-2020-0761 is another remote code execution vulnerability affecting Active Directory when integrated with DNS (ADIDNS). This vulnerability has a CVSS score of 8.8.

Google Chrome released a security update resolving five security vulnerabilities. These are all rated as High severity, which is the second-highest severity rating for Google vulnerabilities.

Adobe Flash had a non-security update today, so no urgency on this month’s update. As we approach the impending End of Support for Adobe Flash Player you will want to consider how you will remove Adobe Flash across your environment. A common question that has been coming up is when and how will Flash be able to be removed completely from environments. Microsoft published an EoS statement last September stating that Microsoft Edge Chromium would disable Flash by default. For Edge and Internet Explorer, it would not be disabled by default prior to the removal in December of 2020. By December 31, 2020 Flash Player will be completely removed from all Microsoft browsers via Windows Update. Expect some sort of removal tools to become available over the next few months and likely a version of the Microsoft browsers that remove Flash.

Update Priorities this month:

    • Windows OS and Browsers (Microsoft and Google)
    • Exchange Server
    • SharePoint Server