Patch Tuesday – November 2020

This month Microsoft patches a Windows kernel zero-day flaw that is being exploited by hackers. Excel, SharePoint and Exchange Server also get patches for remote code execution (RCE) flaws.

Common Vulnerability Scoring System

Microsoft has updated its Security Update Guide to better comply with the Common Vulnerability Scoring System (CVSS). CVSS provides a precise way to describe vulnerabilities with details like attack vector, complexity, and whether a hacker needs elevated privileges to run a successful attack.

Previously, Microsoft provided three-paragraph descriptions of each vulnerability. In the new Security Update Guide, score metrics for different attributes are used to describe bugs instead. The new scoring systems appears to make sense in many ways. But it does mean that unless the details are revealed elsewhere, I won’t be able to provide descriptions of how bugs could be used to exploit Windows.

Image #1 Expand
Figure1 1
Patch Tuesday – November 2020 (Image Credit: Microsoft)

Windows and Windows Server

Following an update (CVE-2020-15999) from Google for its Chrome browser in October, Microsoft released a patch for a zero-day (CVE-2020-17087) in the Windows kernel that in combination with the Chrome flaw, could be used to gain access to a system. It’s not rated critical because the bug by itself cannot be used to elevate privileges. So, users not logged in with administrator accounts are at less risk. Regardless of the rating, CVE-2020-17087 is already being actively exploited in the wild so it’s important to get your systems patched.

Out of the patches rated critical this month, an RCE affecting the Windows Network File System (NFS) could be used to completely compromise systems without elevated privileges or any user interaction. The remaining critical vulnerability is in the Windows Print Spooler and it requires user interaction for a successful attack.

Internet Explorer 11 gets two patches for RCE flaws rated critical. IE11 is the default browser for users still on Windows 7 and it is also included out-of-the-box in Windows 10. Microsoft Edge (HTML), i.e. the legacy version of the browser, also gets one important and one critical RCE patch.

Exchange, SQL, and SharePoint Server

CVE-2020-16875 is an RCE vulnerability in Microsoft Exchange Server that is caused by improper validation of cmdlet arguments. It could be used to run arbitrary code in the context of the System user. But to successfully mount an attack the adversary would need to connect to Exchange as an authenticated administrator and compromise a specific Exchange role. CVE-2020-16875 affects Exchange Server 2016 CU 16 and 17, and Exchange Server 2019 CU 5 and 6.

SharePoint Enterprise Server gets 5 fixes, including one RCE rated important. There are no fixes for SQL Server.

Microsoft Office

The Microsoft 365 apps, which are the desktop apps you download and install if you have a valid Microsoft 365 subscription, get patches for 6 flaws this month. There are 3 RCEs and 2 security feature bypass bugs patched that are all rated important.

Adobe Software

Finally, Adobe Acrobat and Reader apps get a security update (APSB20-67) for Windows and macOS versions.

And that is it for another month!