Patch Tuesday (November 2020): Microsoft Releases Fix for Zero-Day Vulnerability Found in Windows
24 Remote Code Execution (RCE) out of 112 vulnerabilities have also been patched
The monthly security updates known as Patch Tuesday have been recently published by Microsoft. This time, 112 software flaws across a wide variety of products ranging from Windows to Microsoft Teams have been patched. The most significant one updated this month is the zero-day vulnerability found in Windows which has also been spotted being exploited in the wild. 17 of the 112 vulnerabilities addressed in November’s batch include “critical” Windows issues, namely the ones that can be abused to remotely take full control of a compromised Windows device without the users’ assistance. Most of the remainder have been given an “important” ranking, referring to software flaws whose misuse could affect the security, privacy, or functionality of one’s data or the accessibility or integrity of computing resources. We advise you to test these patches and apply them at your earliest convenience!
CVE-2020-17087: The Windows Zero-Day
CVE-2020-17087, which is an “important”-rated flaw in the Windows kernel that is already actively exploited in the wild, is the primary issue across this month’s batch of updates. It has is not been classified as “critical” because it represents what is regarded as a privilege escalation vulnerability that would enable attackers who have already infiltrated a less powerful account (without full administrative rights) to obtain elevated privileges. In other words, it would have to be linked to another cyber-attack in order to receive Microsoft’s “critical” rating. On October 30, Google’s Project Zero and Threat Analysis Group (TAG) security teams unveiled the zero-day. Google stated that the flaw was being abused along with a zero-day found in Chrome, threatening users of Windows 7 and Windows 10. The zero-day in Chrome was employed to authorize malicious hackers to run their code within Chrome. The second component of the assault was the zero-day encountered in Windows, which enabled attackers to bypass the secure container of Chrome and run code on the underlying OS. Microsoft was alerted by the Google Project Zero team in time, which helped them to fix the bug. They also provided proof of concept code to replicate attacks. However, details around who was using these two zero-days have not been disclosed. In one of my articles on patch management, I’ve also written about the importance of disclosing vulnerabilities in a responsible manner, and I recommend you check it out as well. The zero-day was patched in the 86.0.4240.111 version of Chrome. Historically, this is the second time Google reported a two-fold assault featuring a zero-day in Windows and Chrome. Back in March 2019, Google stated that ill-intentioned actors also mixed a Chrome (CVE-2019-5786) and a Windows (CVE-2019-0808) zero-day.
Other Microsoft vulnerabilities you should know about
There are 111 additional vulnerabilities besides the Windows zero-day that need to be fixed, also comprising 24 bugs which would allow remote code execution (RCE) attacks in certain Microsoft software, including:
- Exchange Server
- Windows GDI+
- Microsoft Teams
- Microsoft SharePoint
- Windows Network File System, etc.
You can access Microsoft’s complete Security Update Guide to learn more.
The new version of Microsoft’s Security Update Guide
If you browse Microsoft’s latest security advisories, you’ll find they look a little shorter. As Microsoft explains on their blog, they wanted to reshape these guides to match the style of the advisories of other software vendors in regards to the Common Vulnerability Scoring System (CVSS) format. However, by doing so they also omitted some valuable details. For instance, they eliminated the definition that broadly described the extent of the vulnerability, how it could have been abused, and what the consequences of the attack might have been. In short, it may become extremely difficult for IT professionals to coordinate their patching activities without having all the necessary context for these CVEs at hand.
Heimdal™ Threat Prevention