Microsoft’s seven-month streak of Patch Tuesdays with more than 110 vulnerabilities ended on October Patch Tuesday when it issued fixes for 87 unique vulnerabilities. It was also the first time in recent memory that none of its web browsers received patches.
“It’s surprising. I can’t remember a time when there weren’t at least a few CVEs for the browser each month,” said Chris Goettl, senior director of product management for security products at Ivanti, a security and IT management vendor based in South Jordan, Utah.
Since March, Microsoft had been averaging 120 vulnerability corrections per month. For October Patch Tuesday, 11 of the 87 vulnerabilities are rated critical. Microsoft technologies and products with security updates this month include the client and server Windows OSes, Microsoft Office and Microsoft Office Services and Web Apps, Microsoft JET Database Engine, Azure Functions, Azure Sphere, open source software, Exchange Server, Visual Studio, PowerShellGet, .NET Framework, Microsoft Dynamics and Windows Codecs Library.
In terms of patching priority, administrators will want to address a critical remote-code execution vulnerability (CVE-2020-16898) in the Windows TCP/IP stack that lets an attacker send specially crafted packets to run code on a susceptible Windows 10 or Windows Server 2019 system. Microsoft’s security update fixes how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets.
CVE-2020-16898 received a score of 9.8 out of 10 in the Common Vulnerability Scoring System, indicating a malicious actor would have relatively little difficulty exploiting the vulnerability, and an “Exploitation More Likely” rating in Microsoft’s exploitability assessment.
“Patching is always the first and most effective course of action. If this is not possible, the best mitigation is disabling IPv6, either on the NIC or at the perimeter of the network by dropping IPv6 traffic if it is nonessential. Additionally, ICMPv6 Router Advertisements can be blocked or dropped at the network perimeter,” wrote cybersecurity vendor McAfee in a blog where it dubbed the vulnerability Bad Neighbor.
There were no zero-days this month, but six vulnerabilities have already been publicly disclosed, all rated important. Five of these bugs (CVE-2020-16885, CVE-2020-16901, CVE-2020-16908, CVE-2020-16909, CVE-2020-16938) affect Windows 10 and corresponding Windows Server editions. The remainder is a .NET Framework information disclosure vulnerability (CVE-2020-16937).
Public disclosure indicates the exploit for a CVE exists, meaning it has been demonstrated or distributed in proof-of-concept code. This advance notice gives threat actors knowledge of a bug before the security updates arrive, allowing them to find ways to take advantage of the vulnerability before administrators can deploy patches to affected systems. Goettl said this batch of publicly disclosed vulnerabilities are especially useful for attackers who have already penetrated an organization’s defenses and want to strengthen their position.
“They would have to be on the system to be able to execute and elevate their privilege level. Once they’ve gained their foothold, either through a phishing attempt or something else, this is what they’re going to use to gain full privilege rights to it,” Goettl said.
Server administrators will want to apply a fix for an information disclosure vulnerability (CVE-2020-16969) rated important that affects Exchange Server 2013 and newer. Microsoft’s details for this bug indicate an attacker could exploit the vulnerability by using “specially crafted OWA messages” to take sensitive information from the server system. Goettl said Exchange Server can be more vulnerable to attack because some administrators will put off patching to avoid problems due to its importance as the messaging platform for many enterprises.
“Exchange is like that soft underbelly when things get exposed,” Goettl said.
Microsoft also listed a critical vulnerability (CVE-2020-9746) for Adobe Flash Player which, if exploited, could let an attacker crash a system or run code in the context of the affected user. The bug affects the Adobe Flash Player products for Chrome OS, Linux, macOS and Windows. Adobe Flash Player end-of-life date is Dec. 31, after which Adobe partner Harman will take over support and licensing for the product.
In addition to its product security updates, Microsoft released servicing stack updates for the following Windows products: Windows Server 2008, Windows 7/Server 2008 R2, several Windows 10 versions (1803, 1809, 1903, 1909), several Windows Server versions in the Semi-Annual Channel (1803, 1903 and 1909) and Windows Server 2019 in the Long-Term Servicing Channel. Servicing stack updates ship outside of the cumulative update model, requiring them to be retrieved and installed separately.
Additional vulnerabilities of note for October Patch Tuesday
- Another vital tool for the enterprise, SharePoint continues to be an attractive target for attackers seeking a way to infiltrate enterprise systems. Microsoft released patches to correct 11 bugs, including two critical remote-code execution vulnerabilities (CVE-2020-16951 and CVE-2020-16952) affecting the collaboration platform. The other CVEs rated important include CVE-2020-16929, CVE-2020-16941, CVE-2020-16942, CVE-2020-16944, CVE-2020-16945, CVE-2020-16946, CVE-2020-16948, CVE-2020-16950 and CVE-2020-16953.
- A critical remote-code execution vulnerability (CVE-2020-16891) in Windows client and server OSes could let an attacker run malicious code on the affected system. The fix adjusts how Hyper-V authorizes guest operating system user input.
- A critical remote-code execution vulnerability (CVE-2020-16947) affects Microsoft Outlook that could trigger the exploit if the user views a specially crafted email in the Outlook preview pane or goes to a website with a specially crafted file designed to exploit the vulnerability.