November 2020 Patch Tuesday: Microsoft fixes actively exploited Windows Kernel flaw
On this November 2020 Patch Tuesday:
- Microsoft has plugged 112 security holes, including an actively exploited one
- Adobe has delivered security updates for Adobe Reader Mobile and Adobe Connect
- Intel has dropped a huge stack of security advisories and patches
- SAP has released 12 security notes and updated three previously released ones
- Mozilla has fixed a critical vulnerability affecting Firefox, Firefox ESR, and Thunderbird
Microsoft’s updates
Microsoft plugged 112 CVE-numbered flaws in a variety of its products. Of these, 17 are Critical, 93 as Important, and two are Low in severity.
Microsoft has changed the way it describes fixed vulnerabilities, and the new advisories unfortunately hold less information than before – information that may be crucial for admins to asses which patches are to be prioritized.
So this month, the most information is available about CVE-2020-17087, a Windows Kernel privilege escalation vulnerability, because it’s being actively exploited in the wild (together with a Chrome bug) and because Google disclosed it on October 29, along with PoC exploit code.
“While not explicitly stated, the language used makes it seem the exploit is not yet widespread. However, considering there is a full analysis of the bug weeks before the patch, it will likely be incorporated into other exploits quickly,” noted Trend Micro Zero Day Initiative’s Dustin Childs.
He also picked out a few other interesting vulnerabilities fixed by Microsoft this November 2020 Patch Tuesday:
- CVE-2020-17051 – a critical Windows Network File System RCE flaw requires no user interaction and calls for low attack complexity, and may be wormable
- CVE-2020-17040 – a Windows Hyper-V Security feature bypass vulnerability
- CVE-2020-17084 – a RCE in Microsoft Exchange Server
The Critical vulnerabilities fixed this month are found in various image and video extensions (HEIF, HEVC, Raw Image, AV1), which the Microsoft Store will automatically update for affected customers. Others affect the Windows Print Spooler, the Chakra Scripting Engine, Internet Explorer, Edge, and Azure Sphere.
Microsoft has also patched many other Important vulnerabilities in Azure Sphere this month but, as Childs pointed out, since IoT devices running Azure Sphere are connected to the Internet and check for updates every day, patches for those have likely already been seamlessly implemented.
Adobe’s updates
Adobe has published two security bulletins, both for important (but not critical) vulnerabilities in Adobe Reader Mobile and Adobe Connect.
The Adobe Reader Mobile update fixes a single information disclosure bug. The Adobe Connect updates, which fix two vulnerabilities that may allow arbitrary JavaScript execution in the browser, will be staggered: for hosted services, the update is already available, for on-premise deployments it will be available from November 13.
None of the vulnerabilities are under active attack and the affected products have historically not been a target for attackers, so admins can prioritize other more critical updates and leave these for last.
Intel’s updates
Intel took advantage of the November 2020 Patch Tuesday to released a mammoth batch of advisories, covering vulnerabilities in drivers, server boards, various software, firmware, drones, BIOS, and so on.
Some advisories link to updates, some announced that there will be no security updates because the product is discontinued.
Two advisories cover issues that are deemed critical:
- For Intel CSME, SPS, TXE, AMT and DAL – among the fixed flaws is an out-of-bounds write flaw in IPv6 subsystem that may allow an unauthenticated user to potentially enable escalation of privileges via network access
- For Intel Wireless Bluetooth products – one of the fixed flaws is an improper buffer restriction that may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.
It also has to be noted that Intel has fixed two flaws that may allow new side-channel attacks that may result in the attacker accessing sensitive data on Intel CPUs.
SAP’s updates
For November 2020 Patch Tuesday, SAP released 12 security notes and updated three previously released ones (for SAP Solution Manager, SAP NetWeaver, SAP Bank Analyzer and SAP S/4HANA Financial Products).
The most critical patches are for missing authentication check vulnerabilities in SAP Solution Manager (an integrated end-to-end platform intended to assist users in adopting new developments, managing the application lifecycle, and running SAP solutions) and a RCE flaw in SAP Data Services (an enterprise-class solution for data integration, data quality, data profiling, and text data processing).
Mozilla’s updates
Mozilla has released security updates to address a critical vulnerability (CVE-2020-26950) in Firefox, Firefox ESR, and Thunderbird.
They did not reveal many details about it, only that it may result in an exploitable use-after-free condition and that it has been revealed by a participant in the recently held Tianfu Cup 2020 International Cybersecurity Contest.