Like most other tech companies, 2020 has been a tough year for the tech giant Microsoft. In the past seven consecutive months, it has released more than 100 vulnerability fixes in each of its monthly Patch Tuesday updates. If we are to believe, it is probably the support for a distributed workforce that added to the strain of fixing certain issues, which weren’t critical previously. However, this busy year seems to be finally getting better as Microsoft’s Patch Tuesday for October 2020 contained only 87 vulnerability fixes, yet 11 critical ones.
What’s Included in Microsoft Patch Tuesday October 2020
The October release exclusively consists of security fixes for the following software:
- Microsoft Windows
- Microsoft Office and Microsoft Office Services and Web Apps
- Microsoft JET Database Engine
- Azure Functions
- Open Source Software
- Microsoft Exchange Server
- Visual Studio
- Microsoft .NET Framework
- Microsoft Dynamics
- Adobe Flash Player
- Microsoft Windows Codecs Library
Tenable’s Staff Research Engineer, Satnam Narang, agrees with our commentary and says, “It has been an unusually busy year for Microsoft Patch Tuesday updates. This month’s Patch Tuesday includes fixes for 87 CVEs, 11 of which are rated critical. It also marks the first time since February that Microsoft patched less than 100 CVEs in a single release. These are positive signs. It means Microsoft is getting secured and much more stable adjusting to the current tech demands in the market.”
A Peep into the Vulnerabilities Fixed
Although discussing all 87 vulnerabilities is beyond the scope of this article, let’s have a look at the most critical ones below. For the complete list refer Microsoft’s Release Notes here.
CVE-2020-16898 : Windows TCP/IP Remote Code Execution Vulnerability
Dubbed as “Bad Neighbor,” CVE-2020-16898, is a critical remote code execution (RCE) vulnerability within the Windows TCP/IP stack. The vulnerability exists due to improper handling of ICMPv6 Router Advertisement packets using Option Type 25 and an even length field. According to a blog post from McAfee, Microsoft Active Protections Program (MAPP) members were provided with a test script that successfully demonstrates exploitation of this vulnerability to cause a denial of service (DoS). While the test scenario does not provide the ability to pivot to RCE, an attacker could craft a wormable exploit to achieve RCE. While an additional bug would be required to craft an exploit, it is likely that we will see proof-of-concept (PoC) code released in near future.
CVE-2020-16899 : Windows TCP/IP Denial of Service Vulnerability
This CVE is similar to the previous CVE and results from improper handling of ICMPv6 Router Advertisement packets. To exploit this flaw, an attacker needs to send manipulated ICMPv6 Router Advertisement packets which could cause the system to stop responding. While Microsoft does recommend applying security update to patch this flaw, a workaround is available via a PowerShell command to disable ICMPv6 RDNSS (Recursive DNS Server) in the event the patch cannot be immediately applied.
CVE-2020-16951, CVE-2020-16952 : Microsoft SharePoint Remote Code Execution Vulnerability
These RCE vulnerabilities in Microsoft SharePoint are a result of a failure to validate an application package’s source markup. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code under the context of the SharePoint application pool and the SharePoint server farm account.
CVE-2020-16947 : Microsoft Outlook Remote Code Execution Vulnerability
This RCE flaw in Microsoft Outlook occurs due to the improper handling of objects in memory. An attacker can exploit this vulnerability using a crafted email file sent to a user using a vulnerable version of Microsoft Outlook. Because Outlook’s Preview Pane is affected by this flaw, a user does not have to open the message for the vulnerability to be exploited. As Outlook is widely used as an enterprise email solution, it is highly recommended to prioritize the patching of this CVE.
CVE-2020-16929, CVE-2020-16930, CVE-2020-16931, CVE-2020-16932 : Microsoft Excel Remote Code Execution Vulnerability
To exploit these vulnerabilities, an attacker must create a malicious Excel file and prompt its victim to open the file using a vulnerable version of Microsoft Excel, either by attaching the file to an email or hosting it on a website. Successful exploitation would allow an attacker to gain arbitrary code execution on the vulnerable system with the same rights as the current user. The exploitation of this vulnerability can become critical if the current user has administrative privileges, which could grant the attacker the ability to perform a complete takeover of the vulnerable system.