In its October 2020 Patch Tuesday fixes, Microsoft has patched almost 90 bugs, and although none of them have been used in attacks, many of the exploits were publicly revealed before the patches were released.
The publicly disclosed vulnerabilities have been categorised as significant severity and their exploitation can lead to the disclosure of information or the escalation of privilege. The .NET framework is affected by a majority of Windows effects and one.
The .NET vulnerability allows an authenticated attacker to access memory, precisely the memory structure, of the targeted device. Exploitation requires a specially designed programme to be performed.
The Windows Error Reporting (WER) component is affected by another disclosed flaw and it can be leveraged for privilege escalation. While this unique vulnerability may not seem to have been abused, earlier this month, Malwarebytes confirmed that it had spotted an intrusion in which the payload was inserted into the WER service to evade defences.
The Windows kernel is affected by two of the flaws revealed. They may be abused by an authenticated intruder to access information that could be useful for further breaching affected networks.
Windows 10 Configuration is one of the bugs whose specifics have been made public and it can only be used by a local intruder for privilege escalation as the device updates to a newer version of Windows.
The last problem disclosed affects the VSP Driver of Windows Storage and it can allow privileges to be escalated by an authenticated attacker.
Almost a dozen of the bugs fixed this month by Microsoft have been classified serious. Windows, Outlook, the Base3D rendering engine, and SharePoint are all affected. Both of them will result in remote code execution.
CVE-2020-16947, which affects Outlook and enables an attacker to execute arbitrary code by sending a precisely designed email to the intended user, is one interesting security flaw that has been rated critical.
“The Preview Pane is an attack vector here, but in order to be affected, you don’t even need to open the mail,” explained Dustin Childs of the Zero Day Initiative. In the parsing of HTML material in an email, there is a particular error. Until copying it to a fixed-length heap-based buffer, the problem stems from the lack of sufficient confirmation of the length of user-supplied data. We have a working proof-of – concept, but Microsoft offers this an XI ranking of 2. Quickly fix this one.’
CVE-2020-16898, which is linked to how the Windows TCP / IP stack treats ICMPv6 Router Ads packets, is another notable vulnerability that was patched this month. Through sending specially designed packets to the targeted computer, an attacker will manipulate the defect for code execution on a server or client.
Qualys senior vulnerability and threat research manager Bharat Jogi warned that this flaw could be wormable. Start qualys freescan download to check vulnerablity
“Without any authentication, an attacker will exploit this flaw, and it is potentially wormable,” Jogi said in an emailed statement. We believe that a PoC will soon be dropped for this hack, and we really advise everyone to patch this flaw as soon as possible. Microsoft has already offered a solution for this vulnerability and highly advises that patches easily be installed for this vulnerability.
It is worth noting that relative to the previous months, the amount of bugs patched on this Patch Tuesday is marginally lower. The number of patched vulnerabilities never fell below 110 between March and September.
Todd Schell, Senior Security Product Manager at Ivanti, found out that no Edge or Internet Explorer updates seem to be available this month. He said “Not sure if I recall the last time this happened.”
Just one important code execution flaw in Flash Player is dealt with by Adobe’s October 2020 Patch Tuesday updates.