Seventeen of the 112 issues fixed in today’s patch batch are “critical” issues in Windows, or issues that malware or dissatisfied users can exploit to take full remote control of a vulnerable Windows computer without user assistance.
Most of the others were assigned an “important” rating, which in Redmond parlance refers to a vulnerability whose exploitation could “compromise the confidentiality, integrity, or availability of user data or the integrity or availability of processing resources.”
A major concern with all of these updates this month is CVE-2020-17087, a “critical” bug in the Windows kernel that is already being actively exploited. CVE-2020-17087 is not classified as critical because it is a so-called escalation bug that allows an attacker who has already compromised a less powerful user account on a system to gain administrative control. Essentially, it would have to be chained to another exploit.
Unfortunately, this is exactly what Google researchers recently described as witnesses. October 20th Google released an update for his chrome Browser that fixed a bug (CVE-2020-15999) used in conjunction with CVE-2020-17087 to compromise Windows users.
If you look at Microsoft’s recommendation published today for CVE-2020-17087 (or another one from today’s stack), you’ll find that it looks a little sparse. This is because Microsoft decided to restructure these notices around the Common Vulnerability Scoring System (CVSS) format to better align the notices’ format with that of other major software vendors.
However, Microsoft has also removed some useful information, such as: For example, a description that broadly explains the scope of the vulnerability, how it could be exploited, and the outcome of the exploitation. Microsoft explained the reasons for this postponement in a blog post.
Not everyone is happy with the new format. Bob Huber, Chief Security Officer at Tenable, praised Microsoft for adopting an industry standard but said the company should keep in mind that people reviewing Patch Tuesday releases are not security practitioners, but IT peers who are responsible for actually applying the updates are responsible and often are unable (and should not) have to decrypt raw CVSS data.
“With this new format, end users are completely blind to how a particular CVE affects them,” said Huber. “In addition, it is almost impossible to determine the urgency of a particular patch. It’s difficult to understand the benefits to end users. It’s not too difficult to see how this new format benefits bad actors, however. They will reverse engineer the patches. Because Microsoft does not explicitly provide the details of security vulnerabilities, the advantage lies with attackers, not defenders. Without the right context for these CVEs, defense lawyers will find it increasingly difficult to prioritize their remediation efforts. “
Dustin Childs With Trend MicroThe Zero Day Initiative was also puzzled by the lack of detail in Microsoft’s recommendations, which is linked to two other bugs fixed today – including one in Microsoft Exchange Server (CVE-2020-16875) and CVE-2020-17051, which has a scary looking weakness in the Windows Network File System (NFS).
The replacement problem, Childs said, was reported by the winner of the Pwn2Own Miami Bug Finding Contest.
“With no information from Microsoft, we can only assume that this is the CVE-2020-16875 bypass that he mentioned earlier,” said Childs. “It is very likely that he will publish the details of these bugs soon. Microsoft rates this as important, but I would view it as critical, especially since people seem to have a hard time patching Exchange at all. ”
Similarly, there was a noticeable lack of detail for CVE-2020-17051 for errors that scored a CVSS score of 9.8 (10 being the most dangerous).
“Since there is no description to work against, we have to rely on the CVSS for guidance on the real risk of failure,” said Childs. “Think of this as no user interaction with low attack complexity, and since NFS is a network service, treat this as wormable until we learn otherwise.”
Separately, Adobe released updates today to address at least 14 vulnerabilities in Adobe Acrobat and Reader. Details on these corrections can be found here. There are no security updates for Adobe’s Flash Player, which Adobe says will be discontinued at the end of the year. Microsoft, which has bundled Flash versions with its web browsers, plans to release an update in December that will remove Flash from Windows PCs. The removal tool was made available for download last month.
Windows 10 users should be aware that the operating system downloads and installs updates on its own schedule, closes active programs, and restarts the system. If you want to make sure Windows is pausing the update so you can back up your files and / or your system, read this guide.
However, back up your system before applying any of these updates. Windows 10 even has some built-in tools to help you do this, either per file / folder or by making a full and bootable copy of your hard drive at once.
As always, if you have any issues or issues installing any of these patches this month, please leave a comment below. There’s an above-average chance that other readers have experienced the same thing and interfere here with some helpful tips.
Tags: Bob Huber, CVE-2020-15999, CVE-2020-16875, CVE-2020-17051, CVE-2020-17087, Dustin Childs, Microsoft Exchange Server, Tenable, Trendmikro, Windows-Netzwerkdateisystem, Zero Day Initiative
This entry was posted on Tuesday, November 10th, 2020 at 8:56 pm and is filed under Security Tools, Patch Time. You can follow any comments on this entry through the RSS 2.0 feed. You can jump to the end and leave a comment. Ping is currently not allowed.
These were the details of the news Patch Tuesday, November 2020 issue – Krebs on Security for this day. We hope that we have succeeded by giving you the full details and information. To follow all our news, you can subscribe to the alerts system or to one of our different systems to provide you with all that is new.
It is also worth noting that the original news has been published and is available at de24.news and the editorial team at AlKhaleej Today has confirmed it and it has been modified, and it may have been completely transferred or quoted from it and you can read and follow this news from its main source.