Tuesday, November 2020 Patch – Crabs on Security

Adobe And Micro .ft Everyone made an impact today with updates to plug serious security holes in their software. The release of Micro .ft already includes a zero-day vulnerability to attack Windows users, including a zero-day vulnerability. Microsoft also takes drastic measures to change its security advice and to limit the disclosure of information about each error.

Some of the 112 issues fixed in today’s patch batch include “critical” issues with Windows 17, or can be used by malware or malware to gain full, remote control over a sensitive Windows computer without the help of users.

Most of the rest of the ratings were assigned “critical”, referring to a vulnerability in the Redmond lens whose exploitation could “compromise the confidentiality, integrity, or availability of user data, or the integrity or availability of process resources.”

The main concern in all these updates this month is CVE-2020-17087, a “significant” bug in the Windows kernel that is already seeing active exploitation. CVE-2020-17087 is not listed as important because it is known as a privilege growth flaw that allows an attacker to gain administrative control that can compromise an already less powerful user account on the system. In essence, it should be tied to another exploitation.

Unfortunately, Google researchers have recently described the testimony. October 20, Google Released an update for her Chrome The browser that fixed the bug (CVE-2020-15999) was used with CVE-2020-17087 to reconcile with Windows users.

If you take a look at the advisory Microsoft published today for CVE-2020-17087 (or any other from today’s batch), you will probably see that they seem a bit more scattered. That’s because Microsoft has chosen to rearrange that advice around the Common Vulnerability Scoring System (CVSS) format to more closely align the advice format of other major software vendors.

But in doing so, Microsoft has also removed some useful information, such as a broad description describing the scope of the vulnerability, how it can be obtained, and what the consequences of exploitation might be. Microsoft explained the rationale behind this shift in a blog post.

Not happy with every new format. Bob Huber, Tenable’s chief security officer, praised Microsoft Microsoft for adopting the industry standard, but said the company should keep in mind that those reviewing Patch Tuesday’s release are not security professionals, but IT counterparts responsible for implementing updates that are often not capable. And) Decipher should not be raw CVSS data.

“With this new format, end users are completely blind to how full CVE affects them,” Huber said. “What’s more, it makes it almost impossible to determine the urgency of a given patch. It is difficult to understand the benefits for end users. However, it is not difficult to see how bad actors benefit from this new constitution. They will make the patches the opposite and, unless the vulnerability details are clarified by the micro .ft, the advantage goes to the attackers, not the defenders. Without the right context for this CVE, it becomes increasingly difficult for defenders to prioritize their remedy efforts. “

Dustin Children With Attitude microThe ‘Zero Day Initiative’ was also shocked today by the lack of details included in the Microsoft Advisory, which was linked to two other bugs that were corrected. Microsoft Exchange Server (CVE-2020-16875) and CVE-2020-17051, which is a scary looking weakness Windows Network File System (NFS).

Children said the exchange problem was reported by the winner of the contest Pwn2Own Miami Bug Detection.

“With any details provided by Microsoft, we can only assume that this is a bypass of the CVE 2020-16875 that he mentioned earlier,” said Childs. “It is likely that he will soon publish the details of these errors. Micro .ft gives this an important rate, but I would consider it critical, especially since people don’t find it difficult to patch the exchange. “

Similarly, with CVE-2020-17051, there was a significant lack of detail for bugs that scored CVSS 9.8 (10 most dangerous).

“Since there is no description to work with, we need to rely on CVSS to give an indication of the actual risk by mistake,” Childz said. “Keep in mind that this is not listed as a user interaction with low attack complexity, and considering that NFS is a network service, you should consider this uncomfortable unless we learn otherwise.”

Separately, Adobe today released updates to plug in at least 14 security holes in Adobe Acrobat and Reader. Details about those updates are available here. There are no security updates for Adobe’s Flash Player, which Adobe has said will retire later this year. Microsoft .ft, which has created a bundled version of Flash with its web browsers, says it plans to send an update in December that will remove Flash from Windows PCs, and last month made the device available for download.

Windows 10 users should be aware that the operating system will download operating system updates and install them on its own schedule, close active programs and reboot the system. If you want to make sure Windows has stopped updating so you can back up your files and / or system, see this guide.

But please back up your system before applying any of these updates. Windows 10 also has some built-in tools that help you to do this, either on a file-folder / folder basis or by making your hard drive complete and bootable at the same time.

As always, if you experience difficulties or problems installing any of these patches this month, please consider making a comment about it below; There is also a great opportunity that other readers have also experienced and with some helpful tips here it is possible.

Tags: Bob Huber, CVE-2020-15999, CVE-2020-16875, CVE-2020-17051, CVE-2020-17087, Dustin Children, Micro Exchange Ft Exchange Server, Tenable, Trend Micro, Windows Network File System, Zero Day Initiative