Microsoft formally launched fixes for 112 freshly discovered security vulnerabilities as portion of its November 2020 Patch Tuesday, which includes an actively exploited zero-day flaw disclosed by Google’s security workforce last week.
The rollout addresses flaws, 17 of which are rated as Critical, 93 are rated as Vital, and two are rated Small in severity, as soon as again bringing the patch rely around 110 after a fall previous thirty day period.
The security updates encompass a vary of application, like Microsoft Windows, Place of work and Business Solutions and Web Apps, Internet Explorer, Edge, ChakraCore, Exchange Server, Microsoft Dynamics, Windows Codecs Library, Azure Sphere, Windows Defender, Microsoft Groups, and Visual Studio.
Chief among the these fixed is CVE-2020-17087 (CVSS rating 7.8), a buffer overflow flaw in Windows Kernel Cryptography Driver (“cng.sys”) that was disclosed on October 30 by the Google Project Zero group as becoming utilized in conjunction with a Chrome zero-working day to compromise Windows 7 and Windows 10 buyers.
For its part, Google unveiled an update for its Chrome browser to deal with the zero-working day (CVE-2020-15999) previous month.
Microsoft’s advisory about the flaw does not go into any information further than the simple fact that it was a “Windows Kernel Area Elevation of Privilege Vulnerability” in aspect to restructure security advisories in line with the Typical Vulnerability Scoring Technique (CVSS) structure beginning this month.
Outside of the zero-working day, the update fixes a quantity of remote code execution (RCE) vulnerabilities impacting Trade Server (CVE-2020-17084), Network File Program (CVE-2020-17051), and Microsoft Teams (CVE-2020-17091), as well as a security bypass flaw in Windows Hyper-V virtualization computer software (CVE-2020-17040).
CVE-2020-17051 is rated 9.8 out of a most 10 on the CVSS rating, producing it a critical vulnerability. Microsoft, having said that, mentioned that the attack complexity of the flaw — the circumstances outside of the attacker’s handle that ought to exist in purchase to exploit the vulnerability — is very low.
As with the zero-working day, the advisories affiliated with these security shortcomings are light-weight on descriptions, with tiny to no details on how these RCE flaws are abused or which security function in Hyper-V is getting bypassed.
Other critical flaws set by Microsoft this month include memory corruption vulnerabilities in Microsoft Scripting Motor (CVE-2020-17052) and Internet Explorer (CVE-2020-17053), and numerous RCE flaws in HEVC Video clip Extensions Codecs library.
It can be extremely advised that Windows consumers and process administrators use the newest security patches to resolve the threats associated with these issues.
To set up the most up-to-date security updates, Windows customers can head to Start out > Settings > Update & Security > Windows Update, or by deciding upon Test for Windows updates.
Found this report attention-grabbing? Abide by THN on Fb, Twitter and LinkedIn to go through a lot more distinctive content material we post.