Microsoft emits 112 security hole fixes – including the cure for a Google-disclosed vuln exploited in the wild

Patch Tuesday Microsoft published fixes for 112 software vulnerabilities for its November Patch Tuesday, 17 of which have been rated critical.

Of the remainder, 93 are rated important, and two are rated low severity.

Fifteen Microsoft products are affected, including: Microsoft Windows, Office, Internet Explorer, Edge (EdgeHTML and Chromium), ChakraCore, Exchange Server, Dynamics, Windows Codecs Library, Azure Sphere, Windows Defender, Teams, Azure SDK, Azure DevOps, and Visual Studio.

One of the fixed flaws is being actively exploited, the Windows Kernel Cryptography Driver vulnerability (CVE-2020-17087) disclosed by Google’s Project Zero at the end of last month.

“One of the most notable fixes in this month’s release is for CVE-2020-17087, an elevation of privilege vulnerability in the Windows Kernel that was exploited in the wild as part of a vulnerability chain with CVE-2020-15999, a buffer overflow vulnerability in the FreeType 2 library used by Google Chrome,” Satnam Narang, staff research engineer at security biz Tenable told The Register.

“The elevation of privilege vulnerability was used to escape Google Chrome’s sandbox in order to elevate privileges on the exploited system. This is the second vulnerability chain involving a Google Chrome vulnerability and a Windows vulnerability that was exploited in the last year.”

Narang said the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI last month published a joint advisory warning that miscreants are chaining unpatched vulnerabilities together to compromise and gain access to targets.

Zero Day Initiative’s Dustin Childs in a blog post observed the relatively high number of remote code execution (RCE) bugs getting repaired this month.

“Beyond the Critical-rated ones already mentioned, the bug in Microsoft Teams stands out – simply because so many students are using Teams right now and may not be as security savvy as adults,” Childs said. “It does require user interaction, so remind your kids not to click on links from strangers.”

The Teams RCE bug, designated CVE-2020-17091, is only rated important.

In conjunction with its patch dump, Microsoft has redesigned how it presents vulnerability information in its online Security Update Guide. Redmond suggests its design change conveys vulnerability information more concisely. But Childs criticized the layout revision, stating that less information is now published, which makes it more difficult to assess the risks of various bugs.

Other companies posted their own lists of security shortcomings. Google published details about 20 Android flaws, plus bugs identified in MediaTek and Qualcomm components. Adobe, after firing off an out-of-band update last week, published two new bulletins. Intel published 36 security advisories. SAP is offering 12 new advisories alongside three updates to previous ones. Red Hat has released 21 security updates.

In all, it’s enough to keep IT admins and users busy patching for a while. ®

Source link

Related Articles

Back to top button