Microsoft pushes 112 patches, which may cause management tools to buckle under pressure

  • Microsoft released patches for 112 unique prevalent vulnerabilities and exposures (CVEs), a single of which is tied to Windows and has been exploited in the wild.. (CC BY-SA 4.)

    Microsoft produced patches for 112 exclusive typical vulnerabilities and exposures (CVEs), 17 of which were being considered critical.

    Of the 17 critical patches, 12 were being tied to remote code execution (RCE) bugs. Total, the huge vast majority of the CVEs – 93 – have been rated critical and two rated reduced in severity.

    The updates this thirty day period influence the adhering to: Windows OS, Workplace and Place of work 365, Internet Explorer, Edge, and Edge Chromium, Microsoft Trade Server, Microsoft Dynamics, Azure Sphere, Windows Defender, Microsoft Groups, Azure SDK, DevOps, ChakraCore, and Visible Studio.

    There was one particular Windows vulnerability, CVE-2020-17087, that has been exploited in the wild. This vulnerability already operates as an “elevation of privilege” vulnerability in the Windows kernel cryptography driver, which lets an attacker elevate their privileges on the procedure.

    Although the vulnerability has only been rated as “Important” by Microsoft, Todd Schell, senior product supervisor of security at Ivanti explained it is a zero-day and has been publicly disclosed. This suggests attackers have already been applying it in the wild and information on how to exploit it has been distributed publicly, enabling more menace actors effortless accessibility to reproduce this exploit. In actuality, CVE-2020-17087 was identified by Google researchers as currently being exploited in tandem with a Google Chrome flaw (CVE-2020-15999), for which an update was designed accessible on October 20. Microsoft reported security teams should take care of the two vulnerabilities as before long as probable.

    Jay Goodman, strategic product or service marketing manager at Automox, explained in a blog that Microsoft’s recent set of patches could pretty properly pressure VPN infrastructure at businesses once again. He mentioned lots of corporations are probable to face VPN failures or downtime from legacy on-premises patch management applications buckling underneath the force.

    “VPNs are not created to extend the IT perimeter and with a substantial number of distant staff members and products, we experience a scenario where there’s no practical perimeter for an group,” Goodman explained. “Many corporations fully commited to resolving these troubles in the limited-expression by increasing their VPNs to meet the new demands for remote workforces. However, we now see that these knee-jerk reactions are not ready to continue to scale as businesses recognize this improve is no more time short-term.”