There were 11 critical bugs & 6 that were unpatched but publicly known in this month’s regularly scheduled Microsoft updates.
Microsoft has put out fixes for 87 security vulnerabilities in Oct. – 11 of them critical – & 1 of those is potentially wormable.
Oct’s Patch Tuesday includes fixes for bugs in Microsoft Windows, Office & Office Services & Web Apps, Azure Functions, Open Source Software, Exchange Server, Visual Studio, .NET Framework, Microsoft Dynamics, & the Windows Codecs Library.
Patching the OS
A full 75 are listed as important, & just 1 is listed as moderate in severity. None are listed as being under active attack, but the group does include 6 issues that were known but unpatched before this month’s regularly scheduled updates.
“As usual, whenever possible, it’s better to prioritise updates against the Windows operating system,” Richard Tsang, Senior Software Engineer at Rapid7, explained. “Coming in at 53 of the 87 vulnerabilities, patching the OS knocks out 60% of the vulnerabilities listed, along with over half of the critical RCE vulnerabilities resolved today.”
One of the most notable critical bugs, according to researchers, is a remote code-execution (RCE) problem in the TCP/IP stack. That issue (CVE-2020-16898) allows attackers to execute arbitrary code with elevated privileges using a specially crafted ICMPv6 router advertisement.
Microsoft gives this bug its highest exploitability rating, meaning attacks in the wild are extremely likely & as such, it carries a severity rating of 9.8 out of 10 on the CvSS vulnerability scale. True to the season, it could be an administrator’s horror show.
“If you’re running an IPv6 network, you know that filtering router advertisements is not a practical workaround,” said Dustin Childs, Researcher at Trend Micro’s Zero-Day Initiative (ZDI), in his Patch Tuesday analysis. “You should definitely test & deploy this patch asap.”
Bharat Jogi, Senior Manager of Vulnerability & Threat Research at Qualys, commented that an exploit for the bug could be self-propagating, worming through infrastructure without user interaction.
“An attacker can exploit this vulnerability without any authentication, & it is potentially wormable,” he explained. “We expect a proof-of-concept (PoC) for this exploit would be dropped soon, & we highly encourage everyone to fix this vulnerability as soon as possible.”
“Luckily, if immediate patching isn’t viable due to reboot scheduling, Microsoft provides PowerShell-based commands to disable ICMPv6 RDNSS on affected operating systems,” said Tsang. “The PowerShell command `netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable` does not require a reboot to take effect.”
Another of the critical flaws is an RCE bug in Microsoft Outlook (CVE-2020-16947). The bug can be triggered by sending a special email to a target; & because the Preview Pane is an attack vector, victims do not need to open the mail to be infected (ZDI already has a proof-of-concept for this).
It can also be used in a web-based attack by convincing users to visit a malicious URL hosting triggering content.
“The specific flaw exists within the parsing of HTML content in an email. The issue results from the lack of proper validation of the length of user-supplied data before copying it to a fixed-length heap-based buffer,” according to Childs. That bug is rated 8.1 on the CvSS scale.
A critical Windows Hyper-V RCE bug (CVE-2020-16891, 8.8 on the CvSS scale) meanwhile allows an attacker to run a specially crafted program on an affected guest OS to execute arbitrary code on the host OS.
Windows Camera Codec
Other critical problems affect the Windows Camera Codec (CVE-2020-16967 and CVE-2020-16968, both 7.8 on the CvSS scale), & both resulting from the lack of proper validation of user-supplied data, which can lead to a write past the end of an allocated buffer.
“If the current user is logged on with administrative user rights, an attacker could take control of the affected system,” according to Microsoft.
“An attacker could then install programs; view, change or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
RCE problems in SharePoint
2 other critical flaws are RCE problems in SharePoint Server (CVE-2020-16951 & CVE-2020-16952, both 8.6 on the CvSS scale). They exploit a gap in checking the source mark-up of an application package. Upon successful exploitation, the attacker could run arbitrary code in the context of the SharePoint application pool, or server farm account.
“In both cases, the attacker would need to upload a specially crafted SharePoint application package to an affected version of SharePoint to get arbitrary code execution,” explained Childs. “This can be accomplished by an unprivileged SharePoint user if the server’s configuration allows it.”
Tsang added that PoCs are “starting to flow out in the wild, so bringing a closure to this pair of critical remote code execution vulnerabilities is a must.”
Media Foundation Library
The remaining critical bugs are RCE issues in Media Foundation Library (CVE-2020-16915, rating 7.8); the Base3D rendering engine (CVE-2020-17003, rating 7.8); Graphics components (CVE-2020-16923, rating 7.8); & the Windows Graphics Device Interface (GDI) (CVE-2020-16911, rating 8.8).
For the latter, the vulnerability exists in the way GDI handles objects in memory, confides Allan Liska, Senior Security Architect at Recorded Future.
“Successful exploitation could allow an attacker to gain control of the infected system with the same administrative privileges as the victim,” he observed, via email.
“This vulnerability could be exploited by either tricking a victim into visiting a compromised website with a specially crafted document or opening a specially crafted document via a phishing attack.”
Tsang added, “A mitigating factor here is that users with fewer privileges on the system could be less impacted, but still emphasises the importance of good security hygiene as exploitation requires convincing a user to open a specially-crafted file or to view attacker-controlled content.
Unlike CVE-2020-16898, however, this vulnerability affects all supported versions of Windows OS, which may suggest affecting unsupported/earlier versions of Windows as well.”
6 Publicly Known Bugs
There are also 6 vulnerabilities that have been unpatched until this month, but which were publicly known.
“Public disclosure could mean a couple things,” Todd Schell, Senior Product Manager of Security at Ivanti concluded. “It could be that a demonstration of exploit was performed at an event or by a researcher. It could also mean that a PoC code has been made available. In any case, a public disclosure does mean that threat actors have advanced warning of a vulnerability & this gives them an advantage.”
The mean time to exploit a vulnerability from the moment of its disclosure is 22 days, suggests a research study from the US RAND Institute.
Windows Error Reporting (WER)
When it comes to these publicly known bugs, a Windows Error Reporting (WER) elevation-of-privilege issue (CVE-2020-16909) stands out, according to Childs, given that bugs in the WER component were recently reported as being used in the wild in fileless attacks.
Of the rest, 2 of are EoP bugs, in the Windows Setup component & the Windows Storage VSP Driver; 2 are information-disclosure problems in the kernel; & 1 is an information-disclosure issue in .NET Framework.
“These info-disclosure bugs leak the contents of kernel memory but do not expose any personally identifiable information,” Childs went on to say.
The smaller patch load of 87 fixes is a significant departure from the 110+ patches the software giant has released monthly since March.
“Security teams are still reeling from efforts around reducing exposure to CVE-2020-1472 (Zerologon), & today’s Patch Tuesday thankfully brings a slightly lightened load of vulnerabilities compared to the previous 7 months, with no vulnerabilities currently known to be exploited in the wild,” Jonathan Cran, Head of Research at Kenna Security, commented.
“That said, several of the vulnerabilities in today’s update should be treated with a priority due to their usefulness to attackers [the critical bugs in the Win10 IPv6 stack, Outlook & Hyper-V]. These vulnerabilities all fall into the ‘patch quickly or monitor closely’ bucket.”
Some Products were Missing from the Fixes List
“There are a couple of interesting things this month,” Schell suggested. “There are no browser vulnerabilities being resolved. At the time of release, Microsoft did not have any CVEs reported against IE or Edge & no listing of the browsers as affected products this month. Not sure I remember the last time that has happened.”
Patch Tuesday rolls out this month as Microsoft launches the preview of its new update guide.
“It has provided a few nice improvements,” Schell mentioned . “Quick access to more of the risk-focused information can be found in the vulnerabilities view. Columns like ‘Exploited’ & ‘Publicly Disclosed’ allow you to sort & view quickly if there are high-risk items.”