This week included the 2nd Tuesday of October, which means that it was “Patch Tuesday”. This is the day when Microsoft, along with other organisations including Google, Intel, SAP, and VMWare release their updates.
This month Microsoft addressed 87 vulnerabilities in several Microsoft Products including Excel, Outlook and the Windows TCP/IP Stack. 21 of these are Remote Code Execution (RCE) issues which could allow attackers to gain control of a vulnerable system. This is significantly less than the 129 that were fixed last month.
Affected applications include:
- Microsoft Windows
- Microsoft Office and Microsoft Office Services and Web Apps
- Microsoft JET Database Engine
- Azure Functions
- Azure Sphere
- Open Source Software
- Microsoft Exchange Server
- Visual Studio
- Microsoft .NET Framework
- Microsoft Dynamics
- Microsoft Windows Codecs Library
Out of the list which can be found here, there are a few that stand out as being particularly dangerous in our opinion:
CVE-2020-16898 – Windows TCP/IP RCE
A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploits this vulnerability could gain the ability to execute code on the target server or client.
To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.
The update addresses the vulnerability, by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets.
CVE-2020-16891 – Hyper-V RCE
A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.
An attacker who successfully exploits the vulnerability could execute arbitrary code on the host operating system.
The security update addresses the vulnerability by correcting how Hyper-V validates guest operating system user input.
CVE-2020-16947 – Microsoft Outlook RCE
A remote code execution vulnerability exists in Microsoft Outlook software when the software fails to properly handle objects in memory. An attacker who successfully exploits the vulnerability could run arbitrary code in the context of the System user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Along with Microsoft, Adobe released a Security Bulletin regarding FlashPlayer which it is recommended to either upgrade to or remove as it is going EoL at the end of 2020.