Microsoft October Patch Tuesday patched 87 bugs, including a critically severe wormable RCE vulnerability. This is perhaps the most low-key monthly security update with no zero-day vulnerabilities reported.
Almost halfway into the month, Microsoft is out with yet another Patch Tuesday for October, this time with fixes to 87 vulnerabilities affecting its suite of products and services. This is perhaps the first time in months that the company’s monthly Patch Tuesday features less than a hundred fixes and no zero-day vulnerabilities. Â
Microsoft deployed patches to 87 vulnerabilities in products like Windows 10 and Windows Server 2019. Out of these vulnerabilities, 12 were categorized as Critical.
Of the remaining, 74 were classified Important, and one poses a moderate level of threat. Microsoft also released cumulative updates for Windows 10, Windows 8.1 and Windows 7.
Let us delve into some of the most important fixes released from the Redmond tech giant this October.
Remote Code Execution
Nearly all of the vulnerabilities deemed critical could lead to remote code execution, affecting Microsoft products such as Windows, SharePoint, Outlook, Base3D rendering engine.Â
Some of these include:Â
- CVE-2020-16911Opens a new window : (CVSS score 8.8) Can allow attackers to take over system controls. Exists because of an object handling method in memory by Windows Graphics Device Interface (GDI).
- CVE-2020-16947Opens a new window : (CVSS score 8.1) Improper object handling leads to arbitrary code execution by the attacker. It can also lead to installation of programs; view, alter, and delete privileges on data, as well as new account creation capabilities with full user rights. Requires the attacker to send a specially crafted Outlook software and convince the victim to open it. Trend Micro’s Zero Day Initiative’s Dustin Childs explainedOpens a new window that in order to exploit this vulnerability, users need not even open the malicious file, just a quick preview can cause damage. Bharat Jogi, Senior Manager of Vulnerability and Threat Research at Qualys advised a quick patch up of CVE-2020-16947. He told ThreatPostOpens a new window , “An attacker can exploit this vulnerability without any authentication, and it is potentially wormable. We expect a proof-of-concept (PoC) for this exploit would be dropped soon, and we highly encourage everyone to fix this vulnerability as soon as possible.â€
- CVE-2020-16898Opens a new window : (CVSS score 9.8) Exists from incorrect handling of ICMPv6 Router Advertisement packets on Windows TCP/IP, which can lead to execute code remotely on a Windows server or client. ChildsOpens a new window explained in a blog post, “A specially crafted ICMPv6 router advertisement could cause code execution on an affected system. Since the code execution occurs in the TCP/IP stack, it is assumed the attacker could execute arbitrary code with elevated privileges. If you’re running an IPv6 network, you know that filtering router advertisements is not a practical workaround.â€
- CVE-2020-16891Opens a new window : (CVSS score 8.8) RCE on host OS. Exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user. Researcher Jonas L may have discovered this vulnerability as early as July 2020.
Allright- managed to clear calc.exe in system32 on hyper-v host from inside guest-vm.
Slow but steady process, one month primary focus hyper-v/sandbox now pic.twitter.com/a7Tojf0S3UOpens a new window— Jonas L (@jonasLyk) July 31, 2020Opens a new window
- CVE-2020-17003Opens a new window : (CVSS score 7.8) Exists under Microsoft’s Base 3D rendering engine.Â
- CVE-2020-16923Opens a new window : (CVSS score 7.8) RCE through Windows Graphics Component.Â
- CVE-2020-16951Opens a new window & CVE-2020-16952Opens a new window : (CVSS scores 8.6) RCE by an attacker under SharePoint application pool and the SharePoint server farm account. It exists due to SharePoint’s inability to check source markup of an application payload. Requires a specially crafted SharePoint application.
- CVE-2020-16967Opens a new window : CVSS scores 7.8. Leads to arbitrary code execution under the name of the current user through the Windows Camera Codec Pack. If the logged-in user is an administrator, these bugs can even allow system take over by the attacker.Â
Elevation of Privilege
- CVE-2020-16909Opens a new window : CVSS score 7.8. Authenticated attackers can gain elevated privileges and execute code through Windows Error Reporting.Â
Memory Corruption
- CVE-2020-16915Opens a new window : CVSS score 7.8. Exists through improper object handling in Windows Media Foundation.
Besides the above listed ones, six vulnerabilities deemed Important have been publicly disclosed previously and as a result are at a higher risk of exploitation. Â
Microsoft’s October Patch Tuesday has issued fixes for the following products:
- Microsoft Windows
- Microsoft Office and Microsoft Office Services and Web Apps
- Microsoft JET Database Engine
- Azure Functions
- Open Source Software
- Microsoft Exchange Server
- Visual Studio
- PowerShellGet
- Microsoft .NET Framework
- Microsoft Dynamics
- Adobe Flash Player
- Microsoft Windows Codecs Library
Microsoft also released cumulative updates for Windows 7, Windows 8.1, Windows 10 (versions 1803, 1809, 1903, 1909, 2004), and Windows Server (version 2008 R2, 2012 R2, 2016, 2019).Â
Windows 7
Security fixes include:
- Incorrect access by Graphics Device Interface to internal regions which can cause unexpected UI experience. Can cause additional or missing screen elements, screen flickering, or a trailing screen.
- An incorrect daylight savings time (DST) in 2021 for the Fiji Islands is now fixed.Â
- Recursive deletion of critical files on enabling ‘Delete local user profile policy’ is corrected.
- Other security updates to Windows App Platform and Frameworks, Windows Graphics, Windows Shell, Windows Silicon Platform, Windows Cloud Infrastructure, Windows Fundamentals, Windows Authentication, Windows Virtualization, Windows Core Networking, Windows Network Security and Containers, Windows Storage and Filesystems, Windows SQL components, and Windows Remote Desktop.
Manual downloads available hereOpens a new window .
Windows 8.1
- Incorrect end date for daylight savings time (DST) in 2021 for the Fiji Islands is rectifies
- Recursive deletion of critical files by Group Policy by enabling “Delete local user profile policy†is corrected.
- Null report creation issue through the UI is addressed.
- Includes a notification in Internet Explorer 11 which will inform users of the end of support for Adobe Flash in December 2020.
- Addresses an issue with Microsoft Edge IE Mode that occurs when you enable Configure enhanced hang detection for Internet Explorer mode in Microsoft Edge.Â
- Administrators can now disable JScript in specific security zones.
- Other security updates to Windows App Platform and Frameworks, Windows Graphics, Windows Shell, Windows Silicon Platform, Windows Cloud Infrastructure, Windows Fundamentals, Windows Authentication, Windows Virtualization, Windows Kernel, Windows Core Networking, Windows Network Security and Containers, Windows Remote Desktop, and Windows SQL components.
Manual downloads available hereOpens a new window .
Windows 10
Windows 10 features a slew of build updates listed below:Â
Windows Version | Update Build |
Windows 10 version 1507 | KB4580327Opens a new window |
Windows 10 version 1607 | KB4580346Opens a new window |
Windows 10 version 1703 | KB4580370Opens a new window |
Windows 10 version 1709 | KB4580328Opens a new window |
Windows 10 version 1803 | KB4580330Opens a new window |
Windows 10 version 1809 | KB4580330Opens a new window |
Windows 10 version 1903/1909 | KB4577671Opens a new window |
Windows 10 version 2004 | KB4579311Opens a new window |
Windows 10 version 20H2 | KB4579311Opens a new window |
Windows Server
- Features a corrected end date for daylight savings time (DST) in 2021 for the Fiji Islands.Â
- Other security updates to Windows App Platform and Frameworks, Windows Graphics, Windows Shell, Windows Silicon Platform, Windows Cloud Infrastructure, Windows Authentication, Windows Virtualization, Windows Core Networking, Windows Network Security and Containers, and Windows SQL components.
Manual downloads available hereOpens a new window .
A complete list of October patches to vulnerabilities, compiled by the Zero Day Initiative can be accessed hereOpens a new window .
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!