No Zero Day Flaws in Microsoft’s October Patch Tuesday

essidsolutions

Microsoft October Patch Tuesday patched 87 bugs, including a critically severe wormable RCE vulnerability. This is perhaps the most low-key monthly security update with no zero-day vulnerabilities reported.

Almost halfway into the month, Microsoft is out with yet another Patch Tuesday for October, this time with fixes to 87 vulnerabilities affecting its suite of products and services. This is perhaps the first time in months that the company’s monthly Patch Tuesday features less than a hundred fixes and no zero-day vulnerabilities.  

Microsoft deployed patches to 87 vulnerabilities in products like Windows 10 and Windows Server 2019. Out of these vulnerabilities, 12 were categorized as Critical.

Of the remaining, 74 were classified Important, and one poses a moderate level of threat. Microsoft also released cumulative updates for Windows 10, Windows 8.1 and Windows 7.

Let us delve into some of the most important fixes released from the Redmond tech giant this October.

Remote Code Execution

Nearly all of the vulnerabilities deemed critical could lead to remote code execution, affecting Microsoft products such as Windows, SharePoint, Outlook, Base3D rendering engine. 

Some of these include: 

  • CVE-2020-16911Opens a new window : (CVSS score 8.8) Can allow attackers to take over system controls. Exists because of an object handling method in memory by Windows Graphics Device Interface (GDI).
  • CVE-2020-16947Opens a new window : (CVSS score 8.1) Improper object handling leads to arbitrary code execution by the attacker. It can also lead to installation of programs; view, alter, and delete privileges on data, as well as new account creation capabilities with full user rights. Requires the attacker to send a specially crafted Outlook software and convince the victim to open it. Trend Micro’s Zero Day Initiative’s Dustin Childs explainedOpens a new window that in order to exploit this vulnerability, users need not even open the malicious file, just a quick preview can cause damage. Bharat Jogi, Senior Manager of Vulnerability and Threat Research at Qualys advised a quick patch up of CVE-2020-16947. He told ThreatPostOpens a new window , “An attacker can exploit this vulnerability without any authentication, and it is potentially wormable. We expect a proof-of-concept (PoC) for this exploit would be dropped soon, and we highly encourage everyone to fix this vulnerability as soon as possible.”
  • CVE-2020-16898Opens a new window : (CVSS score 9.8) Exists from incorrect handling of ICMPv6 Router Advertisement packets on Windows TCP/IP, which can lead to execute code remotely on a Windows server or client. ChildsOpens a new window explained in a blog post, “A specially crafted ICMPv6 router advertisement could cause code execution on an affected system. Since the code execution occurs in the TCP/IP stack, it is assumed the attacker could execute arbitrary code with elevated privileges. If you’re running an IPv6 network, you know that filtering router advertisements is not a practical workaround.”
  • CVE-2020-16891Opens a new window : (CVSS score 8.8) RCE on host OS. Exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user. Researcher Jonas L may have discovered this vulnerability as early as July 2020.

Allright- managed to clear calc.exe in system32 on hyper-v host from inside guest-vm.
Slow but steady process, one month primary focus hyper-v/sandbox now pic.twitter.com/a7Tojf0S3UOpens a new window

— Jonas L (@jonasLyk) July 31, 2020Opens a new window

Elevation of Privilege

Memory Corruption

Besides the above listed ones, six vulnerabilities deemed Important have been publicly disclosed previously and as a result are at a higher risk of exploitation.  

Microsoft’s October Patch Tuesday has issued fixes for the following products:

  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • Microsoft JET Database Engine
  • Azure Functions
  • Open Source Software
  • Microsoft Exchange Server
  • Visual Studio
  • PowerShellGet
  • Microsoft .NET Framework
  • Microsoft Dynamics
  • Adobe Flash Player
  • Microsoft Windows Codecs Library

Microsoft also released cumulative updates for Windows 7, Windows 8.1, Windows 10 (versions 1803, 1809, 1903, 1909, 2004), and Windows Server (version 2008 R2, 2012 R2, 2016, 2019). 

Windows 7

Security fixes include:

  • Incorrect access by Graphics Device Interface to internal regions which can cause unexpected UI experience. Can cause additional or missing screen elements, screen flickering, or a trailing screen.
  • An incorrect daylight savings time (DST) in 2021 for the Fiji Islands is now fixed. 
  • Recursive deletion of critical files on enabling ‘Delete local user profile policy’ is corrected.
  • Other security updates to Windows App Platform and Frameworks, Windows Graphics, Windows Shell, Windows Silicon Platform, Windows Cloud Infrastructure, Windows Fundamentals, Windows Authentication, Windows Virtualization, Windows Core Networking, Windows Network Security and Containers, Windows Storage and Filesystems, Windows SQL components, and Windows Remote Desktop.

Manual downloads available hereOpens a new window .

Windows 8.1

  • Incorrect end date for daylight savings time (DST) in 2021 for the Fiji Islands is rectifies
  • Recursive deletion of critical files by Group Policy by enabling  “Delete local user profile policy” is corrected.
  • Null report creation issue through the UI is addressed.
  • Includes a notification in Internet Explorer 11 which will inform users of the end of support for Adobe Flash in December 2020.
  • Addresses an issue with Microsoft Edge IE Mode that occurs when you enable Configure enhanced hang detection for Internet Explorer mode in Microsoft Edge. 
  • Administrators can now disable JScript in specific security zones.
  • Other security updates to Windows App Platform and Frameworks, Windows Graphics, Windows Shell, Windows Silicon Platform, Windows Cloud Infrastructure, Windows Fundamentals, Windows Authentication, Windows Virtualization, Windows Kernel, Windows Core Networking, Windows Network Security and Containers, Windows Remote Desktop, and Windows SQL components.

Manual downloads available hereOpens a new window .

Windows 10

Windows 10 features a slew of build updates listed below: 

Windows Version Update Build
Windows 10 version 1507 KB4580327Opens a new window
Windows 10 version 1607 KB4580346Opens a new window
Windows 10 version 1703 KB4580370Opens a new window
Windows 10 version 1709 KB4580328Opens a new window
Windows 10 version 1803 KB4580330Opens a new window
Windows 10 version 1809 KB4580330Opens a new window
Windows 10 version 1903/1909 KB4577671Opens a new window
Windows 10 version 2004 KB4579311Opens a new window
Windows 10 version 20H2 KB4579311Opens a new window

Windows Server

  • Features a corrected end date for daylight savings time (DST) in 2021 for the Fiji Islands. 
  • Other security updates to Windows App Platform and Frameworks, Windows Graphics, Windows Shell, Windows Silicon Platform, Windows Cloud Infrastructure, Windows Authentication, Windows Virtualization, Windows Core Networking, Windows Network Security and Containers, and Windows SQL components.

Manual downloads available hereOpens a new window .

A complete list of October patches to vulnerabilities, compiled by the Zero Day Initiative can be accessed hereOpens a new window .

Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Contact ESSID Solutions

    By clicking Send Message, you agree to our Terms of Use and Privacy Policy.

    Reach out to us for a free consultation on big data consultancy and development services.

    Contact

    Rua Alexandre de Sa Pinto 143
    1300-034 Lisbon
    Portugal

    [email protected] +351927159955
    Privacy Policy Terms of Service Refund and Returns Policy

    © 2024 ESSID SOLUTIONS LDA