Microsoft has issued its first patch update for 8 months repairing fewer than 100 CVEs, whilst six are similar to publicly disclosed bugs and will require prioritizing.
October’s Patch Tuesday yesterday resolved 87 vulnerabilities together with 11 rated critical.
Numerous industry experts pointed to CVE-2020-16898, which has a CVSS score of 9.8, as a priority.
“This is a remote code execution vulnerability in Microsoft’s TCP/IP stack. The vulnerability is in the way the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets,” explained Recorded Potential senior security architect, Allan Liska.
“For effective exploitation of this vulnerability, all an attacker has to do is send a specially crafted ICMPv6 Router Ad packet to a distant Windows laptop. This vulnerability impacts Windows 10 and Windows Server 2019 and really should be patched straight away.”
Somewhere else, 5 of the 6 bugs have an effect on Windows 10 and linked server editions: CVE-2020-16908, CVE-2020-16909, CVE-2020-16901, CVE-2020-16885 and CVE-2020-16938. The sixth influences the .Internet Framework (CVE-2020-16937).
Todd Schell, senior solution supervisor at Ivanti, also pointed to CVE-2020-16947, a vulnerability in Microsoft Outlook which could permit remote code execution just by viewing a specifically crafted email.
“The Preview Pane is an attack vector listed here, so you do not even need to open up the mail to be impacted,” he additional. “The flaw exists in just the parsing of HTML material in an email. Patch this one particular rapidly. It will be an attractive focus on for risk actors.”
Another RCE flaw, this time in Windows Hyper-V, is CVE-2020-16891.
“This patch corrects a bug that permits an attacker to run a specially crafted application on an afflicted guest OS to execute arbitrary code on the host OS. A visitor OS escape like this would also be extremely attractive to risk actors,” stated Schell.
Microsoft also produced a preview of its new update guideline this thirty day period. It is created to provide a a lot more intuitive format so sysadmins can get to the risk-dependent info they will need faster, like exploited and publicly disclosed vulnerabilities.