Microsoft formally released solutions for 112 newly discovered security vulnerabilities as part of its November 2020 Patch Tuesday, including a exploited zero-day defect revealed by Google’s security team last week.
The submission process addresses shortcomings, of which 17 are rated Critical, 93 are rated as Important, and two are rated Low in Severity, with the patch count over 110 again after last month’s collapse.
The security updates cover a range of software, including Microsoft Windows, Office and Office Services and Web Apps, Internet Explorer, Edge, ChakraCore, Exchange Server, Microsoft Dynamics, Windows Codecs Library, Azure Sphere, Windows Defender, Microsoft Teams, and Visual Studio.
Chief among the stable are CVE-2020-17087 (CVSS score 7.8), a buffer overflow bug in Windows Kernel Cryptography Driver (“cng.sys”) that was unveiled on October 30 by Google Project Zero team as being used in conjunction with Chrome zero day to compromise Windows 7 and Windows 10 users.
For its part, Google released an update for its Chrome browser to address zero day (CVE-2020-15999) last month.
Microsoft’s consultant for the flaw goes into no detail beyond the fact that it is “Windows Local Kernel Elevation of Privilege Vulnerability” in part to restructure security consultations in accordance with the Common Vulnerability Scoring System (CVSS) format starting this month.
Outside of zero day, the update fixes a number of remote code execution (RCE) vulnerabilities affecting Exchange Server (CVE-2020-17084), Network File System (CVE-2020-17051) , and Microsoft Teams (CVE-2020- 17091), as well as a security bypass bug in Windows Hyper-V virtualization software (CVE-2020-17040).
CVE-2020-17051 is rated 9.8 out of a maximum of 10 on the CVSS score, meaning that it has a critical vulnerability. Microsoft noted, however, that the complexity of the default attack – the conditions beyond the attacker’s control that must exist to exploit the vulnerability – is low.
As with day zero, the consultations associated with these security flaws are light on descriptions, with little knowledge of how these RCE faults are abused or what feature security in Hyper-V is bypassed.
Other critical flaws fixed by Microsoft this month include memory corruption vulnerabilities in Microsoft Scripting Engine (CVE-2020-17052) and Internet Explorer (CVE-2020-17053), and multiple RCE defects in the HEVC Video Extensions Codecs library.
It is strongly recommended that Windows users and system administrators apply the latest security patches to resolve the threats associated with these issues.
To install the latest security updates, Windows users can go to Start> Settings> Update & Security> Windows Update, or by selecting Check for Windows updates.