Patch Tuesday, November 2020 Issue: Krebs on Security

Adobe Y Microsoft each issued a batch of updates today to plug critical security holes in their software. Microsoft’s release includes fixes for 112 separate flaws, including a zero-day vulnerability that is already being exploited to attack Windows users. Microsoft is also receiving criticism for changing its security warnings and limiting the amount of information disclosed about each bug.

About 17 of the 112 issues fixed in today’s patch batch involve “critical” issues in Windows, or those that can be exploited by malware or disgruntled people to take complete remote control of a vulnerable Windows computer without the help of users.

Most of the rest were assigned the rating of “significant”, which in Redmond parlance refers to a vulnerability whose exploitation could “compromise the confidentiality, integrity or availability of user data, or the integrity or availability of user data. processing resources “.

A major concern among all of these updates this month is CVE-2020-17087, which is a “major” bug in the Windows kernel that is already experiencing active exploitation. CVE-2020-17087 is not listed as critical because it is what is known as a privilege escalation flaw that would allow an attacker who has already compromised a less powerful user account on a system to gain administrative control. In essence, it would have to be chained with another exploit.

Unfortunately, this is exactly what Google researchers described having witnessed recently. October 20 Google released an update for its Chrome browser that fixed a bug (CVE-2020-15999) that was used in conjunction with CVE-2020-17087 to compromise Windows users.

If you take a look at the advisory Microsoft released today for CVE-2020-17087 (or any other from today’s batch), you might notice that they look a bit more sparse. This is because Microsoft has chosen to restructure these notices around the Common Vulnerability Scoring System (CVSS) format to more closely align the format of the notices with that of other major software vendors.

But in doing so, Microsoft has also removed useful information, such as the description that broadly explains the extent of the vulnerability, how it can be exploited, and what the result of the exploit might be. Microsoft explained its reasoning behind this change in a blog post.

Not everyone is happy with the new format. Bob huber, Tenable’s chief security officer, praised Microsoft for adopting an industry standard, but said the company should consider that the people reviewing Patch Tuesday releases are not security professionals, but rather IT counterparties responsible for enforcing the updates that often can’t (and shouldn’t have to) decrypt raw CVSS data.

“With this new format, end users are completely blind to how a particular CVE impacts them,” Huber said. Also, this makes it almost impossible to determine the urgency of a given patch. It is difficult to understand the benefits for end users. However, it is not too difficult to see how this new format benefits bad actors. They will reverse engineer the patches, and if Microsoft is not explicit about the details of the vulnerability, the advantage is for attackers, not defenders. Without the proper context for these CVEs, it becomes increasingly difficult for advocates to prioritize their remediation efforts. “

Dustin Childs with Trend MicroThe Zero Day Initiative was also puzzled by the lack of details included in Microsoft’s warnings related to two other flaws fixed today, including one in Microsoft Exchange Server (CVE-2020-16875) and CVE-2020-17051, which is a terrifying weakness in the Windows Network File System (NFS).

The Exchange problem, Childs said, was reported by the winner of the Pwn2Own Miami bug-hunting contest.

“With no details provided by Microsoft, we can only assume that this is the deviation from CVE-2020-16875 that I had mentioned earlier,” Childs said. “It is very likely that the details of these errors will be published soon. Microsoft rates this as important, but I would treat it as critical, especially since people find it difficult to patch Exchange. “

Likewise, with CVE-2020-17051, there was a notable lack of detail for the bug which got a CVSS score of 9.8 (10 being the most dangerous).

“Without a description to work from, we need to rely on CVSS to provide clues to the real risk of error,” Childs said. “Consider this listed as no user interaction with low attack complexity, and considering that NFS is a network service, you should treat this as a problem until we know otherwise.”

Separately, Adobe today released updates to plug at least 14 security holes in Adobe Acrobat and Reader. Details on those fixes are available here. There are no security updates for Adobe Flash Player, which Adobe has said will be retiring by the end of the year. Microsoft, which has included versions of Flash with its web browsers, says it plans to ship an update in December that will remove Flash from Windows PCs, and last month made the removal tool available for download.

Windows 10 users should know that the operating system will download updates and install them on its own schedule, closing active programs and restarting the system. If you want to make sure Windows has been set to pause the update so you can back up your files and / or system, check out this guide.

But do a backup of your system before applying any of these updates. Windows 10 even has a few tools built in to help you do that, whether it’s by file / folder or by doing a full, bootable copy of your hard drive in one go.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; There is a greater chance than other readers have experienced the same thing and can jump in here with some helpful advice.

Tags: Bob Huber, CVE-2020-15999, CVE-2020-16875, CVE-2020-17051, CVE-2020-17087, Dustin Childs, Microsoft Exchange Server, Tenable, trend micro, Windows Network File System, Initiative zero day