In a recent update during its November 2020 Patch Tuesday, Microsoft disclosed fixes for 112 newly identified security vulnerabilities. This release notably includes a zero-day flaw that was actively exploited and brought to light by Google’s security team the previous week.
The series of patches issued addresses a variety of vulnerabilities, with 17 classified as Critical, 93 deemed Important, and two considered Low in severity. This update raises the patch count above 110 once more, following a slight dip in the previous month.
The security updates target multiple software components, including Microsoft Windows, Microsoft Office applications, Internet Explorer, Microsoft Edge, Exchange Server, and other platforms like Azure Sphere and Windows Defender. This comprehensive approach reflects the wide landscape of systems that may be vulnerable.
Among the critical vulnerabilities fixed is CVE-2020-17087, which affects the Windows Kernel Cryptography Driver (“cng.sys”) and possesses a CVSS score of 7.8. This flaw was reported by Google’s Project Zero team on October 30 as being exploited alongside a Chrome zero-day vulnerability to compromise users of Windows 7 and Windows 10.
In response, Google also rolled out an update for its Chrome browser last month to rectify the zero-day vulnerability (CVE-2020-15999). Microsoft’s advisory on the Windows flaw is sparse, providing limited details beyond identifying it as a “Windows Kernel Local Elevation of Privilege Vulnerability.” This aligns with Microsoft’s effort to standardize its security advisories with the Common Vulnerability Scoring System (CVSS) format.
In addition to addressing the zero-day, the security updates resolve multiple remote code execution (RCE) vulnerabilities affecting Exchange Server (CVE-2020-17084), Network File System (CVE-2020-17051), and Microsoft Teams (CVE-2020-17091), along with a security bypass vulnerability in Windows Hyper-V (CVE-2020-17040).
The vulnerability CVE-2020-17051 has been rated an alarming 9.8 out of 10 on the CVSS scale, indicating its critical nature, although Microsoft clarified that the attack complexity remains low. Information provided in the advisories on how these RCE vulnerabilities could be exploited remains scarce, limiting transparency on the specific vulnerabilities being exploited.
Additionally, Microsoft has addressed memory corruption vulnerabilities in both the Microsoft Scripting Engine (CVE-2020-17052) and Internet Explorer (CVE-2020-17053), alongside addressing multiple RCE vulnerabilities within the HEVC Video Extensions Codecs library.
Businesses utilizing Windows systems are strongly advised to promptly implement these latest security patches to mitigate the risks associated with these vulnerabilities. Users can install the updates by navigating to Start > Settings > Update & Security > Windows Update, or by selecting ‘Check for Windows updates.’