September Patch Tuesday- 2020

Copyright © 2020 Ivanti. All rights reserved.
Patch Tuesday Webinar
Wednesday, September 9, 2020
Hosted by: Chris Goettl & Todd Schell
Dial in: 1-877-668-4490 (US)
Event ID: 133 233 5824

Agenda
September 2020 Patch Tuesday Overview
In the News
Bulletins and Releases
Between Patch Tuesdays
Q & A
1
2
3
4
5

Copyright © 2020 Ivanti. All rights reserved.Copyright © 2020 Ivanti. All rights reserved.
Overview

In the News

In The News . . .
 Back to School Security
 https://www.governing.com/security/Security-Trouble-Grows-in-Academia-as-School-
Begins.html
 Simplifying On-premises Deployment of Servicing Stack Updates
 https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-on-premises-
deployment-of-servicing-stack-updates/ba-p/1646039
 The End of Flash is Near
 Adobe Flash end of support on December 31, 2020
 Security Update for .NET???
 https://support.microsoft.com/en-us/help/4576479/kb4576479-cumulative-update-for-net-
framework
 User Proxy Disabled for HTTP-based Intranet Servers Scanning WSUS
 https://techcommunity.microsoft.com/t5/windows-it-pro-blog/changes-to-improve-security-
for-windows-devices-scanning-wsus/ba-p/1645547

Microsoft Patch Tuesday Updates of Interest
 Advisory 990001 Latest Servicing Stack Updates (SSU)
 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV990001
 Updated SSUs this month
 Windows 10 1607/Server 2016
 Windows 10 1809-2004
 Windows Server 2019
 Windows Server, versions 1903-2004
 Development Tool and Other Updates
 ASP.NET Core 2.1, 3.1
 Visual Studio 2012-2019
 Visual Studio Code
Source: Microsoft

Windows 10 Lifecycle Awareness
 Windows 10 Branch Support
Source: Microsoft

Windows 10 Lifecycle Awareness (cont)
 Enterprise LTSB/LTSC Support
 Complete Lifecycle Fact Sheet
 https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet
Source: Microsoft

Patch Content Announcements
 Announcements Posted on Community Forum Pages
 https://forums.ivanti.com/s/group/CollaborationGroup/00Ba0000009oKICEA2
 Subscribe to receive email for the desired product(s)

Bulletins and Releases

MS20-09-W10: Windows 10 Update
 Maximum Severity: Critical
 Affected Products: Microsoft Windows 10 Versions 1607, 1709, 1803, 1809, 1903,
1909, 2004, Server 2016, Server 2019, Server version 1709, Server version 1803,
Server version 2004, IE 11, Legacy Edge and Edge Chromium
 Description: This bulletin references 11 KB articles and release notes for Edge
Chromium. See KBs for the list of changes.
 Impact: Remote Code Execution, Security Feature Bypass, Spoofing, Denial of
Service, Elevation of Privilege and Information Disclosure
 Fixes 85 Vulnerabilities: No CVEs are publicly disclosed or known exploited. See
Details column of Security Update Guide for the complete list of CVEs.
 Restart Required: Requires restart
 Known Issues: See next slides

September Known Issues for Windows 10
 KB 4577015 – Windows 10, Version 1607 and Server 2016
 [Min Password] After installing KB4467684, the cluster service may fail to start with
the error “2245 (NERR_PasswordTooShort)” if the group policy “Minimum
Password Length” is configured with greater than 14 characters. Workaround:
Set the domain default "Minimum Password Length" policy to less than or equal to
14 characters. Microsoft is working on a resolution.
 KB 4570333 – Windows 10, Version 1809, Server 2019 All Versions
 [Asian Packs] After installing KB 4493509, devices with some Asian language
packs installed may receive the error, "0x800f0982 -
PSFX_E_MATCHING_COMPONENT_NOT_FOUND.“ Workaround: Uninstall
and reinstall any recently added language packs or select Check for Updates and
install the April 2019 Cumulative Update. See KB for more recovery details.
Microsoft is working on a resolution.

September Known Issues for Windows 10 (cont)
 KB 4570333 – Windows 10, Version 1809, Server 2019 All Versions
 [Edge] After installing KB4550969 or later, when using Microsoft Edge Legacy, you
might receive the error,”0x80704006. Hmmmm…can’t reach this page” when
attempting to reach websites on non-standard ports. Any website that uses a port
listed in the Fetch Standard specification under bad ports or port blocking might
cause this issue. Workaround: Do one of the following:
 Update to the new, Chromium-based Microsoft Edge and configure it to allow the port
used for the affected site.
 Use Internet Explorer 11 to access the website.
 Update Windows 10 to a newer version.
 Configure the website to use a standard port on the server side. Don’t use a port that is
listed in the Fetch Standard specification under bad ports or port blocking.
 Microsoft is working on a resolution.

September Known Issues for Windows 10 (cont)
 KB 4571756 – Windows 10, Version 2004
 [Editor] When using some apps, such as Microsoft Excel, users of the Microsoft
Input Method Editor (IME) for Chinese and Japanese might receive an error, or the
app might stop responding or close when attempting to drag using the mouse.
Workaround:
1. Select Start, type Settings and select it or press enter.
2. Type IME settings into the search box within Settings and select the IME settings
that are appropriate to your language, for example Japanese IME Settings.
3. Select General.
4. Turn on Use previous version of Microsoft IME.
 Microsoft is working on a solution.

MS20-09-IE: Security Updates for Internet Explorer
 Affected Products: IE 9 and IE 11
 Description: The fixes that are included in the cumulative Security Update for
Internet Explorer are also included in the September 2020 Security Monthly Quality
Rollup. Installing either the Security Update for Internet Explorer or the Security
Monthly Quality Rollup installs the fixes that are in the cumulative update. This bulletin
references 12 KB articles.
 Impact: Remote Code Execution and Elevation of Privilege
 Fixes 3 Vulnerabilities: No CVEs are publicly disclosed or known exploited. CVE-
2020-0878 is fixed in IE 9. CVE-2020-0878, CVE-2020-1012 and CVE-2020-1506 are
fixed in IE 11.
 Restart Required: Requires browser restart
 Known Issues: None reported

MS20-09-MR2K8-ESU: Monthly Rollup for Windows Server 2008
 Affected Products: Microsoft Windows Server 2008 and IE 9
 Description: Security update includes improvements and fixes that were a part of update KB
4571730 (released August 11, 2020). Bulletin is based on KB 4577064. Addresses a security
vulnerability issue with user proxies and HTTP-based intranet servers. Security updates to
Windows App Platform and Frameworks, Windows Graphics, Windows Media, Windows Cloud
Infrastructure, Windows Authentication, Windows Cryptography, Windows Kernel, Windows
Hybrid Cloud Networking, Windows Peripherals, Windows Storage and Filesystems, Windows
Network Security and Containers, the Microsoft Scripting Engine, and Windows SQL
components.
 Impact: Remote Code Execution, Denial of Service, Elevation of Privilege and Information
Disclosure
 Fixes 38 + 1 (IE 9) Vulnerabilities: No CVEs are publicly disclosed or known exploited. See
the Security Update Guide for the complete list of CVEs.
 Known Issues: [File Rename] See next slide.

September Known Issues for Server 2008
 KB 4577064 – Windows Server 2008 (Monthly Rollup)
 [File Rename] Certain operations, such as rename, that you perform on files or folders that
are on a Cluster Shared Volume (CSV) may fail with the error,
“STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform
the operation on a CSV owner node from a process that doesn’t have administrator
privilege. Workaround: Perform the operation from a process that has administrator
privilege or perform the operation from a node that doesn’t have CSV ownership. Microsoft
is working on a resolution.
 KB 4577070 – Windows Server 2008 (Security-only Update)

MS20-09-SO2K8-ESU: Security-only Update for Windows Server 2008
 Affected Products: Microsoft Windows Server 2008
 Description: Bulletin is based on KB 4577070. Security updates to Windows App Platform and
Frameworks, Windows Graphics, Windows Media, Windows Cloud Infrastructure, Windows
Authentication, Windows Cryptography, Windows Kernel, Windows Hybrid Cloud Networking,
Windows Peripherals, Windows Storage and Filesystems, Windows Network Security and
Containers, and Windows SQL components.
Disclosure
 Fixes 38 Vulnerabilities: No CVEs are publicly disclosed or known exploited. See the Security
Update Guide for the complete list of CVEs.
 Known Issues: [File Rename] See previous slide.

MS20-09-MR7-ESU: Monthly Rollup for Win 7
MS20-09-MR2K8R2-ESU Monthly Rollup for Server 2008 R2
 Affected Products: Microsoft Windows 7, Server 2008 R2, and IE
Windows App Platform and Frameworks, Windows Graphics, Windows Media, Windows Cloud
Infrastructure, Windows Authentication, Windows Cryptography, Windows Kernel, Windows
Hybrid Cloud Networking, Windows Peripherals, Windows Storage and Filesystems, Windows
Network Security and Containers, the Microsoft Scripting Engine, and Windows SQL
components.
Disclosure
 Fixes 39 + 3 IE Vulnerabilities: No CVEs are publicly disclosed or known exploited. See
 Known Issues: [File Rename]

MS20-09-SO7-ESU: Security-only Update for Win 7
MS20-09-SO2K8R2-ESU: Security-only Update for Server 2008 R2
 Affected Products: Microsoft Windows 7 and Server 2008 R2
Frameworks, Windows Graphics, Windows Media, Windows Cloud Infrastructure, Windows
Authentication, Windows Cryptography, Windows Kernel, Windows Hybrid Cloud Networking,
Containers, and Windows SQL components.
Disclosure
 Fixes 39 Vulnerabilities: No CVEs are publicly disclosed or known exploited. See Details
column of Security Update Guide for the complete list of CVEs.

MS20-09-MR8: Monthly Rollup for Server 2012
 Affected Products: Microsoft Windows Server 2012 and IE
Windows App Platform and Frameworks, Windows Graphics, Windows Input and Composition,
Windows Media, Windows Cloud Infrastructure, Windows Authentication, Windows
Cryptography, Windows Fundamentals, Windows Kernel, Windows Hybrid Cloud Networking,
Containers, Windows Update Stack, the Microsoft Scripting Engine, and Windows SQL
components.
Disclosure

MS20-09-SO8: Security-only Update for Windows Server 2012
 Affected Products: Microsoft Windows Server 2012
Frameworks, Windows Graphics, Windows Input and Composition, Windows Media, Windows
Cloud Infrastructure, Windows Authentication, Windows Cryptography, Windows Fundamentals,
Windows Kernel, Windows Hybrid Cloud Networking, Windows Peripherals, Windows Storage
and Filesystems, Windows Network Security and Containers, Windows Update Stack, and
Windows SQL components.
Disclosure

MS20-09-MR81: Monthly Rollup for Win 8.1 and Server 2012 R2
 Affected Products: Microsoft Windows 8.1, Server 2012 R2, and IE
Windows Media, Windows Input and Composition, Windows App Platform and Frameworks,
Windows Graphics, Windows Cloud Infrastructure, Windows Authentication, Windows
Cryptography, Windows Fundamentals, Windows Kernel, Windows Hybrid Cloud Networking,
Containers, Windows Update Stack, the Microsoft Scripting Engine, and Windows SQL
components.
Disclosure

MS20-09-SO81: Security-only Update for Win 8.1 and Server 2012 R2
 Affected Products: Microsoft Windows 8.1, Server 2012 R2
 Description: Bulletin is based on KB 4577071. Security updates to Windows Media, Windows
Input and Composition, Windows App Platform and Frameworks, Windows Graphics, Windows
Cloud Infrastructure, Windows Authentication, Windows Cryptography, Windows Fundamentals,
Windows Kernel, Windows Hybrid Cloud Networking, Windows Peripherals, Windows Storage
and Filesystems, Windows Network Security and Containers, Windows Update Stack, and
Windows SQL components.
Disclosure

MS20-09-SPT: Security Updates for SharePoint Server
 Affected Products: Microsoft SharePoint Enterprise Server 2013 & 2016, Microsoft
SharePoint Foundation Server 2010 and 2013, and Microsoft SharePoint Server 2010
& 2019
 Description: This security update resolves vulnerabilities in Microsoft Office that
could allow remote code execution if a user opens a specially crafted Office file. This
bulletin is based on 12 KB articles.
 Impact: Remote Code Execution, Spoofing, Tampering and Information Disclosure
 Fixes 20 Vulnerabilities: No CVEs are publicly disclosed or known exploited. See
the Security Update Guide for the complete list of CVEs.

MS20-09-EXCH: Security Updates for Exchange Server
 Affected Products: Microsoft Exchange Server 2016 and 2019
 Description: This security update corrects how Microsoft Exchange
handles cmdlet arguments. This bulletin is based on KB 4577352.
 Impact: Remote Code Execution
 Fixes 1 Vulnerability: CVE-2020-16875
 Known Issues: Must install update with administrator privileges

MS20-09-OFF: Security Updates for Microsoft Office
 Maximum Severity: Important
 Affected Products: Excel 2010-2016, Office 2010-2016, Word 2010-2016, Office
2016 and 2019 for macOS, Office Web Applications
 Description: This security update resolves multiple vulnerabilities in Microsoft Office
applications. Consult the Security Guide for specific details on each. This bulletin
references 17 KB articles plus release notes for MacOS.
 Impact: Remote Code Execution and Information Disclosure
 Fixes 8 Vulnerabilities: CVE-2020-1193, CVE-2020-1218, CVE-2020-1224, CVE-
2020-1332, CVE-2020-1335, CVE-2020-1338, CVE-2020-1594 and CVE-2020-16855
 Restart Required: Requires application restart

MS20-09-O365: Security Updates Microsoft 365 Apps and Office 2019
 Affected Products: Microsoft 365 Apps, Office 2019
 Description: This month’s update resolved various bugs and performance issues in
Microsoft 365 Apps and Office 2019 applications. Information on Microsoft 365 Apps
security updates is available at https://docs.microsoft.com/en-
us/officeupdates/microsoft365-apps-security-updates.
 Impact: Remote Code Execution and Information Disclosure
2020-1332, CVE-2020-1335, CVE-2020-1338 and CVE-2020-1594
 Restart Required: Requires application restart

CHROME-200908: Security Update for Chrome Desktop
 Affected Products: Google Chrome
 Description: The stable channel has been updated to 85.0.4183.102 for Windows,
Mac and Linux. See https://chromereleases.googleblog.com/2020/09/stable-channel-
update-for-desktop.html for more details.
 Impact: Remote Code Execution
2020-6576, CVE-2020-15959

Between Patch Tuesdays

Release Summary
 Security Updates: Adobe Acrobat (1), Camtasia (2), Crowdstrike Falcon Sensor (1), Citrix
Workspace App (1), Dropbox (1), Firefox (2), Firefox ESR (2), FileZilla (1), GoodSync (8),
GoToMeeting (1), Malwarebytes (1), Microsoft Edge Chromium (5), Nitro Pro (2), Node.JS (2),
Opera (5), PowerBI Desktop (4), Plex Server (1), PeaZip (1), Slack Machine-Wide Installer (1),
Splunk Forwarder (2), Tableau (13), Thunderbird (2), TeamViwer (4), VMware Tools (1),
Windows (1), Wireshark (3), Zoom Client (2), Zoom Outlook Plugin (2)
 Non-Security Updates: AIMP (1), Azure Information Protection (1), Box Drive (1), BlueJeans
(1), GOM Player (1), Microsoft (22), PDF-Xchange PRO (1), Plantronics Hub (1), RingCentral
(3), RingCentral Classic (1), Visual Studio Code (3), Webex Teams (1), WinMerge (1), WinZip
(1)

Third Party CVE Information
 Security update for Windows 8.1, Server 2012 R2 (KB4578013)
 MS20-08-4578013, Q4578013
 Fixes 2 Vulnerabilities: CVE-2020-1530, CVE-2020-1537
 Firefox 80.0
 FF-200825, QFF800
 Fixes 10 Vulnerabilities: CVE-2020-6829, CVE-2020-12400, CVE-2020-12401,
CVE-2020-15663, CVE-2020-15664, CVE-2020-15665, CVE-2020-15666, CVE-
2020-15667, CVE-2020-15668, CVE-2020-15670

 Firefox ESR 78.2.0 and 68.12.0
 FFE-200824, QFFE7820
 FFE-200825, QFFE68120
 Fixes 3 Vulnerabilities: CVE-2020-15663, CVE-2020-15664, CVE-2020-15669
 Microsoft Edge Chromium 84.0.522.59
 MEDGE-200812, QMEDGE84052259
2020-6545, CVE-2020-6546, CVE-2020-6547, CVE-2020-6548, CVE-2020-6549,
CVE-2020-6550, CVE-2020-6551, CVE-2020-6552, CVE-2020-6553, CVE-2020-
6554, CVE-2020-6555
 MEDGE-200821, QMEDGE84052263

 MEDGE-200828, QMEDGE85056441
2020-6561, CVE-2020-6562, CVE-2020-6563, CVE-2020-6564, CVE-2020-6566,
CVE-2020-6567, CVE-2020-6568, CVE-2020-6569, CVE-2020-6570, CVE-2020-
6571
 Wireshark 3.2.6
 WIRES32-200813, QWIRES326
 Google Chrome 85.0.4183.83
 CHROME-200825, QGC850418383
 Fixes 14 Vulnerabilities: CVE-2020-6558, CVE-2020-6559, CVE-2020-6560, CVE-2020-
6561, CVE-2020-6562, CVE-2020-6563, CVE-2020-6564, CVE-2020-6565, CVE-2020-
6566, CVE-2020-6567, CVE-2020-6568, CVE-2020-6569, CVE-2020-6570, CVE-2020-
6571

Q & A

September Patch Tuesday- 2020

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to September Patch Tuesday- 2020

Similar to September Patch Tuesday- 2020 (20)

More from Ivanti

More from Ivanti (20)

Recently uploaded

Recently uploaded (20)

September Patch Tuesday- 2020