October 24, 2020

Microsoft October 2020 Patch Tuesday: fix 87 vulnerabilities

2 min read
On October 13, 2020, Microsoft officially released a risk notice for October. This security update released patches for 87 vulnerabilities, mainly covering the Windows operating system, IE/Edge browser, Office components, and Web Apps, Exchange server, .Net Framework, Azure DevOps, Windows codecs. Microsoft October 2020 Patch Tuesday includes 11 serious vulnerabilities and 75 high-risk vulnerabilities.

Microsoft November Patch Tuesday

Vulnerability Detail

–       CVE-2020-16898 – Windows TCP/IP Remote Code Execution Vulnerability
This patch corrects a problem in the TCP/IP stack caused by the way it handles ICMPv6 router advertisements. A specially crafted ICMPv6 router advertisement could cause code execution on an affected system. Since the code execution occurs in the TCP/IP stack, it is assumed the attacker could execute arbitrary code with elevated privileges. If you’re running an IPv6 network, you know that filtering router advertisements is not a practical workaround. Microsoft also gives this bug its highest exploitability rating, so exploits are likely. You should definitely test and deploy this patch as soon as possible.

–       CVE-2020-16947 – Microsoft Outlook Remote Code Execution Vulnerability
This vulnerability was reported through the ZDI program, and it could allow code execution on affected versions of Outlook just by viewing a specially crafted e-mail. The Preview Pane is an attack vector here, so you don’t even need to open the mail to be impacted. The specific flaw exists within the parsing of HTML content in an email. The issue results from the lack of proper validation of the length of user-supplied data before copying it to a fixed-length heap-based buffer. Although Microsoft gives this an XI rating of 2, we have a working proof-of-concept. Patch this one quickly.

–       CVE-2020-16891 – Windows Hyper-V Remote Code Execution Vulnerability
This patch corrects a bug that allows an attacker to run a specially crafted program on an affected guest OS to execute arbitrary code on the host OS. The write up doesn’t say at what permission level the code execution occurs, but that shouldn’t stop you from rolling this out to your Hyper-V servers quickly.

–       CVE-2020-16909 – Windows Error Reporting Elevation of Privilege Vulnerability
This is one of the six bugs listed as publicly known for this month. The patch corrects an escalation of privilege (EoP) in the Windows Error Reporting (WER) component that could allow an authenticated attacker to execute arbitrary code with escalated privileges. Although this CVE is not listed as being publicly exploited, bugs in this component have been reported as being used in the wild in fileless attacks. Regardless, this and the other bugs in the WER component being fixed this month should not be ignored.

Solution

In this regard, we recommend that users upgrade all Windows components to the latest version in time.