Microsoft has released the October 2020 Security updates that includes patches for 87 vulnerabilities, 11 of them rated Critical. The update also includes a patch for a Critical “Bad Neighbor” TCP/IP RCE vulnerability CVE-2020-16898.
Of additional note, Microsoft also released two out-of-band patches to address a Windows Codecs Library CVE-2020-17022 and Visual Studio JSON RCE CVE-2020-17023
In all, the Microsoft security updates address vulnerabilities in the following products:
- Adobe Flash Player
- Azure Functions
- Microsoft .NET Framework
- Microsoft Dynamics
- Microsoft Exchange Server
- Microsoft JET Database Engine
- Microsoft Office and Microsoft Office Services and Web Apps
- Microsoft Windows
- Microsoft Windows Codecs Library
- Open Source Software
- Visual Studio
Microsoft has provided patches for each of the vulnerabilities and also summarized them in the October 2020 Security Updates Release Notes.
“Bad Neighbor” RCE
One of the Critical patches included a fix for a TCP/IP “Bad Neighbor” vulnerability CVE-2020-16898.
“A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client,” Microsoft stated in the advisory.
Although Microsoft originally warned exploitation of the vulnerability was “more likely,” the company updated the advisory on October 15 to state exploitation was “less likely.” The CVSS score was also lowered from 9.8 to 8.8.
In addition, the tech giant added new FAQ, mitigation and workaround information in the latest update for CVE-2020-16898.
Security researchers Mark Bereza (“Makumasa”) and “nemadrias” also published new proof of concept (PoC) exploit code out on Github:
“The proof-of-concept shared with MAPP members is both extremely simple and perfectly reliable. It results in an immediate BSOD (Blue Screen of Death), but moreso, indicates the likelihood of exploitation for those who can manage to bypass Windows 10 and Windows Server 2019 mitigations. The effects of an exploit that would grant remote code execution would be widespread and highly impactful, as this is the type of bug that could be made wormable.”
Other Critical RCEs
“A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account,” Microsoft stated in each of the advisories.
Furthermore, Microsoft also fixed the following eight RCE vulnerabilities:
- CVE-2020-16891: Windows Hyper-V Remote Code Execution Vulnerability
- CVE-2020-16911: GDI+ Remote Code Execution Vulnerability
- CVE-2020-16915: Media Foundation Memory Corruption Vulnerability
- CVE-2020-16923: Microsoft Graphics Components Remote Code Execution Vulnerability
- CVE-2020-16947: Microsoft Outlook Remote Code Execution Vulnerability
- CVE-2020-16967: Windows Camera Codec Pack Remote Code Execution Vulnerability
- CVE-2020-16968: Windows Camera Codec Pack Remote Code Execution Vulnerability
- CVE-2020-17003: Base3D Remote Code Execution Vulnerability
According to Microsoft, none of advisories had known exploits as of the original advisory posting dates.
To add, Microsoft also patched the following vulnerabilities rated Important: Denial of Service (4), Elevation of Privilege (36), Information Disclosure (15), RCE (11), Security Feature Bypass (3) and Spoofing (6). One Moderate rated flaw was also addressed.
Out of band patches
Two days after Tuesday’s security update, Microsoft also released two out-of-band patches on Thursday, October 15.
One of those patches addresses a Windows Codecs Library RCE vulnerability CVE-2020-17022. Microsoft confirmed that only customers who have installed the optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store may be vulnerable to CVE-2020-17022.
A second patch fixes a Visual Studio JSON RCE vulnerability CVE-2020-17023.
At the time of publication, Microsoft had not provided confirmation on whether the vulnerabilities could be exploited.
Adobe also released updates for Flash Player.
The security update for Flash Player APSB20-58 fixes one Critical NULL pointer dereference vulnerability CVE-2020-9746 that could result in arbitrary code execution.
- Microsoft takes down TrickBot malware infrastructure
- Microsoft warns of active exploits in the wild of Zerologon vulnerability
- Exploit code available for ‘Zerologon’ vulnerability (CVE-2020-1472) that affects Microsoft Netlogon
- Microsoft takes down malicious domains used in COVID-19 related phishing campaign