Patch Tuesday (November 2020): Microsoft Releases Fix for Zero-Day Vulnerability Found in Windows

The monthly security updates known as Patch Tuesday have been recently published by Microsoft. This time, 112 software flaws across a wide variety of products ranging from Windows to Microsoft Teams have been patched. The most significant one updated this month is the zero-day vulnerability found in Windows which has also been spotted being exploited in the wild. 17 of the 112 vulnerabilities addressed in November’s batch include “critical” Windows issues, namely the ones that can be abused to remotely take full control of a compromised Windows device without the users’ assistance. Most of the remainder have been given an “important” ranking, referring to software flaws whose misuse could affect the security, privacy, or functionality of one’s data or the accessibility or integrity of computing resources. We advise you to test these patches and apply them at your earliest convenience!

CVE-2020-17087: The Windows Zero-Day

CVE-2020-17087, which is an “important”-rated flaw in the Windows kernel that is already actively exploited in the wild, is the primary issue across this month’s batch of updates. It has is not been classified as “critical” because it represents what is regarded as a privilege escalation vulnerability that would enable attackers who have already infiltrated a less powerful account (without full administrative rights) to obtain elevated privileges. In other words, it would have to be linked to another cyber-attack in order to receive Microsoft’s “critical” rating. On October 30, Google’s Project Zero and Threat Analysis Group (TAG) security teams unveiled the zero-day. Google stated that the flaw was being abused along with a zero-day found in Chrome, threatening users of Windows 7 and Windows 10. The zero-day in Chrome was employed to authorize malicious hackers to run their code within Chrome. The second component of the assault was the zero-day encountered in Windows, which enabled attackers to bypass the secure container of Chrome and run code on the underlying OS. Microsoft was alerted by the Google Project Zero team in time, which helped them to fix the bug. They also provided proof of concept code to replicate attacks. However, details around who was using these two zero-days have not been disclosed. In one of my articles on patch management, I’ve also written about the importance of disclosing vulnerabilities in a responsible manner, and I recommend you check it out as well. The zero-day was patched in the 86.0.4240.111 version of Chrome. Historically, this is the second time Google reported a two-fold assault featuring a zero-day in Windows and Chrome. Back in March 2019, Google stated that ill-intentioned actors also mixed a Chrome (CVE-2019-5786) and a Windows (CVE-2019-0808) zero-day.

Other Microsoft vulnerabilities you should know about

There are 111 additional vulnerabilities besides the Windows zero-day that need to be fixed, also comprising 24 bugs which would allow remote code execution (RCE) attacks in certain Microsoft software, including:

• Excel
• Exchange Server
• Windows GDI+
• Microsoft Teams
• Microsoft SharePoint
• Windows Network File System, etc.

You can access Microsoft’s complete Security Update Guide to learn more.

The new version of Microsoft’s Security Update Guide

If you browse Microsoft’s latest security advisories, you’ll find they look a little shorter. As Microsoft explains on their blog, they wanted to reshape these guides to match the style of the advisories of other software vendors in regards to the Common Vulnerability Scoring System (CVSS) format. However, by doing so they also omitted some valuable details. For instance, they eliminated the definition that broadly described the extent of the vulnerability, how it could have been abused, and what the consequences of the attack might have been. In short, it may become extremely difficult for IT professionals to coordinate their patching activities without having all the necessary context for these CVEs at hand.  

Heimdal^TM Security’s customers who are running Heimdal™ Threat Prevention (or it’s built-in Heimdal™ Patch & Asset Management module) with automatic updates enabled can rest assured they are protected. Did you know that after every Patch Tuesday, almost 50% of our Enterprise customers automatically patch their Microsoft software within 3 days upon release? The rest of them prefer to postpone the patching process according to their own schedule. Heimdal™ Patch & Asset Management​ is your easiest and shortest route to flawless and effective patch management, with customizable set-and-forget settings for Automatic deployment of software and updates and a full CVE/CVSS audit trail. We deliver updates fully repackaged and ad-free, using encrypted packages through HTTPS transfers. The distribution is also optimized locally using a P2P network between our customers’ endpoints, and the software center allows them to remove admin rights and authorize their users to click-and-install only the software that their IT staff approves.

If you liked this post, you will enjoy our newsletter.

Get cybersecurity updates you'll actually want to read directly in your inbox.

I agree to have the submitted data processed by Heimdal Security according to the Privacy Policy

How do you manage your patching? What’s your take on the new version of Microsoft’s Security Update Guide? Let us know in the section below!