Patch Tuesday – October 2020

This month Microsoft patches a serious remote code execution (RCE) in Windows that could be easily wormable and Outlook gets a patch for a bug that could let an attacker run arbitrary code on affected systems. And after a break of a few months, Adobe releases a security update for Flash Player.

Windows and Windows Server

This month Microsoft has patched 7 RCE vulnerabilities rated critical. The most serious of which is CVE-2020-16898, a TCP/IP vulnerability discovered by Microsoft engineers where Windows improperly handles ICMPv6 Router Advertisement packets. The flaw could be used to install malware on a device by sending a malformed packet over the network.

McAfee has called the vulnerability ‘Bad Neighbor’ and it has published detailed information about the flaw here. Microsoft shared proof-of-concept code with Microsoft Active Protection Program (MAPP) members. McAfee’s Steve Povolny, Head of McAfee Advanced Threat Research, wrote:

The proof-of-concept shared with MAPP (Microsoft Active Protection Program) members is both extremely simple and perfectly reliable. It results in an immediate BSOD (Blue Screen of Death), but more so, indicates the likelihood of exploitation for those who can manage to bypass Windows 10 and Windows Server 2019 mitigations. The effects of an exploit that would grant remote code execution would be widespread and highly impactful, as this type of bug could be made wormable.

Of the remaining patches, there are two RCE bugs and 28 elevation of privilege (EoP) flaws, all rated important.

Exchange and SharePoint Server

Exchange Server gets a patch for an information disclosure vulnerability where an attacker could use a specially crafted OWA message that would be loaded from a URL controlled by the attacker. The attacker could gain access to information using web beacons and other types of tracking systems. The bug affects Exchange Server 2013, 2016, and 2019.

SharePoint Server 2010 SP2 gets a patch for a RCE rated important. While there are various patches issued for SharePoint Server versions from 2013 to 2019 addressing critical and important spoofing, information disclosure, and RCE bugs.

Microsoft Office

There are 13 patches for Microsoft 365 Enterprise Apps (Office), including one critical RCE in Outlook where the application fails to properly handle objects in memory. An attacker could run arbitrary code in the context of the System user. On devices where users have local administrator rights, an attacker could take complete control of an affected system. Users who aren’t configured with administrator privileges are less impacted. The bug also affects Microsoft Office 2016 and 2019, 32-bit and 64-bit editions.

Adobe Software

Finally this month, Adobe has issued a security update (CVE-2020-9746) for Flash Player. The update addresses a critical vulnerability that could lead to an attacker crashing an affected system and running arbitrary code in the context of the currently logged in user. Microsoft is rolling out the update for its browsers via Windows Update.