Microsoft has released important “Patch Tuesday” monthly security updates. These should applied promptly as some of these vulnerabilities have potential to be actively exploited in-the-wild:

For September, Microsoft released patches for 129 CVEs in Microsoft Windows, Edge (EdgeHTML-based and Chromium-based), ChakraCore, Internet Explorer (IE), SQL Server, Office and Office Services and Web Apps, Microsoft Dynamics, Visual Studio, Exchange Server, ASP.NET, OneDrive, and Azure DevOps. That brings us to seven straight months of 110+ CVEs. It also brings the yearly total close to 1,000. It certainly seems like this volume is the new normal for Microsoft patches.

Of these 129 patches, 23 are listed as Critical while 105 are listed as Important, and one is listed as Moderate in severity. Let’s take a closer look at some of the more severe bugs in this release, starting with an Exchange bug that is sure to get a lot of attention:

CVE-2020-16875Microsoft Exchange Memory Corruption VulnerabilityWithout a doubt, this is the most severe bug being addressed this month. This patch corrects a vulnerability that allows an attacker to execute code at SYSTEM by sending a specially crafted email to an affected Exchange Server. That is about the worst-case scenario for Exchange servers. We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, and that requires authentication. We’ll likely see this one in the wild soon. This should be your top priority.