Microsoft has plugged 87 security holes, including critical ones in the Windows TCP/IP stack and Microsoft Outlook and Microsoft 365 Apps for Enterprise
Microsoft has released patches for 87 CVE-numbered flaws in a variety of its offerings: 11 critical, 75 important, and one of moderate severity. None of the fixed vulnerabilities are currently being exploited, though six of them were previously publicly known.
Trend Micro Zero Day Initiative’s Dustin Childs has singled out a few that should be addressed quickly:
CVE-2020-16898 – A Windows TCP/IP vulnerability that could be remotely exploited by sending a specially crafted ICMPv6 router advertisement to an affected Windows server or client and could allow code execution. Researchers at McAfee have dubbed the flaw “Bad Neighbor” because it is located within an ICMPv6 Neighbor Discovery “Protocol”, and say that it “could be made wormable”.
“The only good news is that Microsoft’s internal security team unearthed the vulnerabilities, meaning PoC code likely won’t surface until someone reverse engineers the patch and discovers the source of these vulnerabilities,” noted Nicholas Colyer, Senior Product Marketing Manager at Automox.
CVE-2020-16947 – A remote code execution flaw affecting Microsoft Outlook and Microsoft 365 Apps for Enterprise. The flaw can be triggered by a specially crafted file that a target user is convinced/tricked into opening, but also by the user previewing the file via the Preview Pane (i.e., the user does not have to open the email with the attached file in order for the exploit to work).
CVE-2020-16909 – A bug in the Windows Error Reporting (WER) component that could be used by an authenticated attacker to execute arbitrary code with escalated privileges. “Although this CVE is not listed as being publicly exploited, bugs in this component have been reported as being used in the wild in fileless attacks. Regardless, this and the other bugs in the WER component being fixed this month should not be ignored,” Childs pointed out.
Animesh Jain, Vulnerability Signatures Product Manager at Qualys, advises prioritizing Windows Camera Codec, GDI+, Browser, Hyper-V, Outlook, Media Foundation and Graphics components vulnerabilities for workstations.
She also recommends admins to apply the Sharepoint Server updates to patch two RCEs (CVE-2020-16951 and CVE-2020-16952)
Exploitation of these vulnerabilities requires that a user (authenticated attacker) uploads a specially crafted SharePoint application package to an affected version of SharePoint, Microsoft explained, but if they succeed, they could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm.