Patch Tuesday: Dangerous Zero-Day Hides Among Another 100+ CVEs
After a brief respite last month, Microsoft hit system administrators with another large patch load this month, issuing fixes for 112 CVEs including one being actively exploited in the wild.
The updates for November cover a wide range of products including Windows, Office and Office 365, IE, Edge, Edge Chromium, Exchange Server, Microsoft Dynamics, Azure Sphere, Windows Defender, Microsoft Teams, Azure SDK, DevOps, ChakraCore and Visual Studio.
However, experts are urging customers to prioritize CVE-2020-17087, an Elevation of Privilege bug in the Windows Kernel Cryptography Driver. It affects all versions of the OS, from the Extended Security Update (ESU) in Windows 7 and Server 2008 up to the latest Windows 10 20H2 versions.
“While the vulnerability is only rated as Important by Microsoft, it is a zero-day vulnerability and has been publicly disclosed. This means attackers have already been detected using it in the wild and information on how to exploit it has been distributed publicly, allowing additional threat actors easy access to reproduce this exploit,” explained Ivanti senior product manager, Todd Schell.
“CVE-2020-17087 was discovered by Google researchers as being exploited in tandem with a Google Chrome flaw (CVE-2020-15999), for which an update was made available on October 20. The two vulnerabilities should be resolved as soon as possible.”
Meanwhile, Qualys vulnerability signatures product manager, Animesh Jain, warned of six flaws in SharePoint that should be fairly high up on the to-do list.
“Three of these vulnerabilities (CVE-2020-17016, CVE-2020-17015, CVE-2020-17060) involve spoofing vulnerabilities, and two (CVE-2020-16979, CVE-2020-17017) involve information disclosure vulnerabilities,” she explained. “The remaining one (CVE-2020-17061) is a remote code execution vulnerability; because of this, it is highly recommended to prioritize these patches across all SharePoint deployments.”
Many sysadmins will notice that Microsoft has pared back the information it includes with each vulnerability. Although this was ostensibly done to fall in line with industry standard CVSS, some have argued that this makes it harder for non-security specialists to understand how relevant a bug/CVE is to their organization.