Microsoft November Patch Tuesday: fix 112 security vulnerabilities

On November 10, 2020, Microsoft officially released a risk notice for the November Patch Tuesday. This patch fixes 112 vulnerabilities, mainly covering Windows operating system, IE/Edge browser, Office components, and Web Apps, ChakraCore, Exchange server, .Net Framework, Azure DevOps, Windows Defender, Visual Studio, etc. November Patch Tuesday includes 17 serious vulnerabilities and 93 high-risk vulnerabilities.
September Patch Tuesday

Vulnerability Detail

CVE-2020-17087 – Windows Kernel Local Elevation of Privilege Vulnerability
This privilege escalation bug was publicly disclosed by Google in late October. They noted it was combined with a Chrome bug to escape the browser sandbox and execute code on the target system. While not explicitly stated, the language used makes it seem the exploit is not yet widespread. However, considering there is a full analysis of the bug weeks before the patch, it will likely be incorporated into other exploits quickly.

CVE-2020-17084 – Microsoft Exchange Server Remote Code Execution Vulnerability
This patch corrects a code execution bug in Exchange that was reported by Pwn2Own Miami winner Steven Seeley. With no details provided by Microsoft, we can only assume this is the bypass of CVE-2020-16875 he had previously mentioned. It is very likely he will publish the details of these bugs soon. Microsoft rates this as Important, but I would treat it as Critical, especially since people seem to find it hard to patch Exchange at all.

CVE-2020-17051 – Windows Network File System Remote Code Execution Vulnerability
With no description to work from, we need to rely on the CVSS to provide clues about the real risk from this bug. At a 9.8, it’s about as critical as a bug can get. Considering this is listed as no user interaction with low attack complexity, and considering NFS is a network service, you should treat this as wormable until we learn otherwise.

CVE-2020-17040 – Windows Hyper-V Security Feature Bypass Vulnerability
Here’s another bug that could be helped by a description. It’s not clear which security feature in Hyper-V is being bypassed or how an attacker can abuse it. Again, the attack complexity is low, authentication is not required, and there is no user interaction. Additional details are needed to accurately judge the risk from this bug, but the title and CVSS values alone put this bug on everyone’s radar.

Solution

In this regard, we recommend that users upgrade the Windows operating system and related components to the latest version in time.