Patch Tuesday: Dangerous Zero-Day Hides Among Another 100+ CVEs

  • Right after a transient respite final thirty day period, Microsoft hit program directors with another large patch load this thirty day period, issuing fixes for 112 CVEs such as 1 getting actively exploited in the wild.

    The updates for November address a extensive vary of products and solutions such as Windows, Business office and Business 365, IE, Edge, Edge Chromium, Trade Server, Microsoft Dynamics, Azure Sphere, Windows Defender, Microsoft Teams, Azure SDK, DevOps, ChakraCore and Visible Studio.

    On the other hand, gurus are urging buyers to prioritize CVE-2020-17087, an Elevation of Privilege bug in the Windows Kernel Cryptography Driver. It affects all versions of the OS, from the Extended Security Update (ESU) in Windows 7 and Server 2008 up to the newest Windows 10 20H2 versions.

    “While the vulnerability is only rated as Essential by Microsoft, it is a zero-working day vulnerability and has been publicly disclosed. This suggests attackers have currently been detected working with it in the wild and information on how to exploit it has been dispersed publicly, permitting further menace actors easy entry to reproduce this exploit,” explained Ivanti senior merchandise manager, Todd Schell.

    “CVE-2020-17087 was found by Google researchers as remaining exploited in tandem with a Google Chrome flaw (CVE-2020-15999), for which an update was designed accessible on Oct 20. The two vulnerabilities ought to be resolved as shortly as feasible.”

    Meanwhile, Qualys vulnerability signatures product manager, Animesh Jain, warned of 6 flaws in SharePoint that should be reasonably high up on the to-do checklist.

    “Three of these vulnerabilities (CVE-2020-17016, CVE-2020-17015, CVE-2020-17060) entail spoofing vulnerabilities, and two (CVE-2020-16979, CVE-2020-17017) require information disclosure vulnerabilities,” she discussed. “The remaining just one (CVE-2020-17061) is a distant code execution vulnerability mainly because of this, it is remarkably proposed to prioritize these patches across all SharePoint deployments.”

    Many sysadmins will recognize that Microsoft has pared back again the information it incorporates with every single vulnerability. Though this was ostensibly done to slide in line with sector typical CVSS, some have argued that this helps make it harder for non-security professionals to realize how appropriate a bug/CVE is to their firm.