Patch Tuesday – 11.2020
Commentary on the November 2020 Patch Tuesday release:
- This month, Microsoft addressed 112 vulnerabilities – Office apps & services are included along with the Microsoft browsers, IE and Edge:
- Microsoft have rated 17 of these patches as Critical.
- 1 of the vulnerabilities is noted as having been publicly disclosed and under attack.
- Vulnerabilities of interest:
- CVE-2020-17087 – Windows Kernel Local Elevation of Privilege Vulnerability – EoP / (CVSS:7.8):
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C – Microsoft rates this vulnerability as Critical. The patch was publicly disclosed by ProjectZero in October and was seen being attacked and chained with CVE-2020-15999, a Google Chrome browser vulnerability that escapes the sandbox and executes code on target systems.
- CVE-2020-17087 – Windows Kernel Local Elevation of Privilege Vulnerability – EoP / (CVSS:7.8):
-
- CVE-2020-17051 – Windows Network File System Remote Code Execution Vulnerability – RCE / (CVSS:9.8): CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C – A remote code execution vulnerability exists in Windows NFS. Microsoft provide scant details on this, at present CARIBSOC regards this vulnerability to be problematic within organizations and if NFS is opened to external networks (including the Internet).
- Other Vendors aligning releases to coincide with Microsoft’s Patch Tuesday:
- Adobe – Security updates are detailed here.
- SAP – Security updates are available here.
- VMWare – Security updates are available here.
- Citrix – Security Releases some patches today.
- Oracle – Security patches are available here.
- Chrome 84 security updates are detailed here.
- The Android Security Bulletin for August 2020 is detailed here