MR - stock.adobe.com
A newly disclosed zero-day in the Windows Kernel Cryptography driver that is already being actively exploited by malicious actors is among 112 unique common vulnerabilities and exposures (CVEs) fixed by Microsoft in its November 2020 Patch Tuesday update.
Assigned CVE-2020-17087, the bug affects Extended Security Update (ESU) Windows 7 and Server 8 through to the latest Windows 10 20H2 versions, and information on how to take advantage of it has already been widely distributed.
While it is only rated as important by Microsoft, it becomes particularly dangerous because when chained with a CVE-2020-15999, a buffer overflow vulnerability in the FreeType 2 library used by Google Chrome, it can be used to escape Google Chrome’s sandbox to elevate privileges on the target system.
“Chaining vulnerabilities is an important tactic for threat actors,” said Satnam Narang, staff security researcher at Tenable.
“While both CVE-2020-15999 and CVE-2020-17087 were exploited in the wild as zero-days, the Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory with the FBI last month that highlighted threat actors chaining unpatched vulnerabilities to gain initial access into a target environment and elevate privileges.
“Even though Google and Microsoft have now patched these flaws, it is imperative for organisations to ensure they’ve applied these patches before threat actors begin to leverage them more broadly,” he said.
Other updates this month affect the Windows Operating System, Office and Office 365, Internet Explorer, Edge, Edge Chromium, Microsoft Exchange Server, Microsoft Dynamics, Azure Sphere, Windows Defender, Microsoft Teams, Azure SDK, DevOps, ChakraCore and Visual Studio.
“This month brings us fixes for 112 vulnerabilities, back to what has become a normal amount for this year after last month’s lighter drop. Of these vulnerabilities, 16 are marked as critical and 87 as important,” said Gill Langston, head security nerd at SolarWinds MSP.
“With the vulnerability count back up above 100, there are plenty of vulnerabilities to fix this month. My recommendation is you start with critical servers and then your workstations to address both the disclosed zero-day from last month and the remotely exploitable Windows Network File System Remote Code Execution Vulnerability that has a 9.8 CVSS score.
“Then turn attention to Exchange and SharePoint servers, if you are still running on-premises versions,” said Langston. “With these Exchange vulnerabilities regularly being announced, you may want to consider moving to Microsoft 365 to lessen the amount of systems you have to regularly pay attention to each month for patch duty. Finally, make sure your Office installations are up to date.”
Chris Hass, director of information security and research at Automox, highlighted some of the more critical vulnerabilities, including CVE-2020-17051, a remote code execution (RCE) vulnerability in Windows’ Network File System – a client/server system that lets users access files across a network and treat them as though they resided in a local file directory.
“As you can imagine, with the functionality this service provides, attackers have been taking advantage of it to gain access to critical systems for a long time,” said Hass. “It won’t be long before we see scanning of port 2049 increase over the next few days, with exploitation in the wild likely to follow.”
Read more about Patch Tuesday
- Smaller October Patch Tuesday update includes fixes for critical bugs in Windows 10 and Windows Server 2019.
- Microsoft’s September update contains patches for 129 common vulnerabilities and exposures, including a high number of remote code execution issues.
- Microsoft drops another major Patch Tuesday update, including fixes for two zero-day exploits that are already being exploited by cyber criminals.
Hass also drew attention to CVEs 2020-17052 and -17053, a pair of critical memory corruption vulnerabilities that could give malicious actors RCE capabilities via Microsoft’s Scripting Engine and Internet Explorer.
“While both vulnerabilities affect the network stack, user interaction is required. A likely attack scenario would be to embed a malicious link in a phishing email that the victim would click to lead to a compromised landing page hosting the exploit. While Chrome still dominates the browser game, with the recent Mozilla layoffs Microsoft has picked up some new users, increasing the scope and number of active vulnerable browsers out there,” he said.
Automox also highlighted RCE flaws in Windows Print Spooler and Microsoft Raw Image Extension as ones to watch.
Meanwhile, Microsoft has faced criticism in some quarters for changes to how it describes vulnerabilities in the new version of its Security Update Guide. Microsoft said that in changing to describe vulnerabilities using the Common Vulnerability Scoring System (CVSS), it was demonstrating its commitment to industry standards.
However, in making this change, it has stopped providing descriptions of the scope of a vulnerability, and how and to what end it might be exploited. This has raised eyebrows because unless those responsible for applying the patches are trained security pros who understand raw CVSS data – which is not necessarily always the case – it becomes harder for IT teams to assess and prioritise their patching efforts.
Tenable CSO Bob Huber was among those to express concerns. He said: “By relying on CVSS v3 ratings alone, Microsoft is eliminating a ton of valuable vulnerability data that can help inform organisations of the business risk a particular flaw poses to them.
“With this new format, end-users are completely blind to how a particular CVE impacts them. What’s more, this makes it nearly impossible to determine the urgency of a given patch. It’s difficult to understand the benefits to end-users.”
On the other hand, added Huber, it was clear to see that the new way of doing things might actually benefit malicious actors. “They’ll reverse engineer the patches and, by Microsoft not being explicit about vulnerability details, the advantage goes to attackers, not defenders. Without the proper context for these CVEs, it becomes increasingly difficult for defenders to prioritise their remediation efforts,” he said.