It's 2020 and a rogue ICMPv6 network packet can pwn your Microsoft Windows machine

Redmond urges folks to apply update ASAP – plus more fixes for Outlook and software from Adobe, Intel, SAP, Red Hat

Patch Tuesday Microsoft's Update Tuesday patch dump for October 2020 has delivered security patches that attempt to address 87 CVEs for a dozen Redmond products.

Nadella's security crew has identified 22 remote code execution (RCE) CVEs though the most worrisome looks like CVE-2020-16898, Windows TCP/IP RCE, which is rated 9.8 out 10 in severity. It affects Windows desktop and server systems.

According to Microsoft, the Windows TCP/IP stack doesn't properly handle ICMPv6 Router Advertisement packets. Thus someone could send a vulnerable machine a maliciously crafted IPv6 packet over the network to inject and execute code on the box, and ultimately hijack it – presumably with kernel-level privileges. Here's the worrying blurb from Redmond:

A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client.

To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.

The update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets.

Microsoft said exploitation is likely, and a workaround is available for Windows build 1709 and above. You're urged to patch this ASAP, though.

"Since the code execution occurs in the TCP/IP stack, it is assumed the attacker could execute arbitrary code with elevated privileges," said Zero Day Initiative's Dustin Childs in a summary of today's patches.

"If you’re running an IPv6 network, you know that filtering router advertisements is not a practical workaround. Microsoft also gives this bug its highest exploitability rating, so exploits are likely. You should definitely test and deploy this patch as soon as possible."

Speaking of bad bugs, Hyper-V has a nasty guest-application-to-host-server escape (CVE-2020-16891) that you ought to patch.

CVE-2020-16947, a Microsoft Outlook RCE, also looks like it could pose problems. Rated with a CVSS score of 8.1/10, this memory handling flaw could allow an attacker to send a user with admin rights a specially crafted file and take over the system, if the preview pane is open.

"The specific flaw exists within the parsing of HTML content in an email," explained Childs. "The issue results from the lack of proper validation of the length of user-supplied data before copying it to a fixed-length heap-based buffer."

A total of 11 flaws are designated critical, 75 rate moderate, and one is merely important. Six of them have already been publicly disclosed.

Affected applications include:

  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • Microsoft JET Database Engine
  • Azure Functions
  • Azure Sphere
  • Open Source Software
  • Microsoft Exchange Server
  • Visual Studio
  • PowerShellGet
  • Microsoft .NET Framework
  • Microsoft Dynamics
  • Microsoft Windows Codecs Library

The 88th entry on Microsoft's list is an advisory for Adobe Flash Player for Windows, which along with the versions for macOS, Linux and Chrome OS, contains a critical arbitrary code execution flaw (CVE-2020-9746).

Exploitation of the vulnerability "requires an attacker to insert malicious strings in an HTTP response that is by default delivered over TLS/SSL," according to Adobe.


The seven deadly sins letting hackers hijack America's govt networks: These unpatched bugs leave systems open


Users should install Adobe Flash Player on the applicable operating system and enjoy whatever time they have left with the app – Adobe plans to stop distributing Flash Player on December 31, 2020.

Enterprise software vendor SAP also delivered parcel of patches – 15 plus six additional patches to previous patches.

The most serious of these is an OS command injection vulnerability (CVE-2020-6364) affecting SAP Solution Manager (CA Introscope Enterprise Manager) and SAP Focused Run (CA Introscope Enterprise Manager), Versions - WILY_INTRO_ENTERPRISE 9.7, 10.1, 10.5, 10.7. The bug rates 10 out of 10 in severity.

Intel released one security advisory covering three vulnerabilities in the BlueZ open-source Bluetooth stack. These high severity flaws could lead to privilege escalation and information disclosure. The fixes involve a Linux kernel update.

Red Hat meanwhile issued a security advisory for the Chromium browser in various Red Hat Enterprise Linux 6 packages. It addresses 35 fixes delivered by Google last week.

On the bright side, 87 CVEs is significantly less than the 129 Microsoft addressed in September. ®

Broader topics

Other stories you might like

  • Red Hat Kubernetes security report finds people are the problem
    Puny human brains baffled by K8s complexity, leading to blunder fears

    Kubernetes, despite being widely regarded as an important technology by IT leaders, continues to pose problems for those deploying it. And the problem, apparently, is us.

    The open source container orchestration software, being used or evaluated by 96 per cent of organizations surveyed [PDF] last year by the Cloud Native Computing Foundation, has a reputation for complexity.

    Witness the sarcasm: "Kubernetes is so easy to use that a company devoted solely to troubleshooting issues with it has raised $67 million," quipped Corey Quinn, chief cloud economist at IT consultancy The Duckbill Group, in a Twitter post on Monday referencing investment in a startup called Komodor. And the consequences of the software's complication can be seen in the difficulties reported by those using it.

    Continue reading
  • Infosys skips government meeting - and collecting government taxes
    Tax portal wobbles, again

    Services giant Infosys has had a difficult week, with one of its flagship projects wobbling and India's government continuing to pressure it over labor practices.

    The wobbly projext is India's portal for filing Goods and Services Tax returns. According to India’s Central Board of Indirect Taxes and Customs (CBIC), the IT services giant reported a “technical glitch” that meant auto-populated forms weren't ready for taxpayers. The company was directed to fix it and CBIC was faced with extending due dates for tax payments.

    Continue reading
  • Google keeps legacy G Suite alive and free for personal use

    Google has quietly dropped its demand that users of its free G Suite legacy edition cough up to continue enjoying custom email domains and cloudy productivity tools.

    This story starts in 2006 with the launch of “Google Apps for Your Domain”, a bundle of services that included email, a calendar, Google Talk, and a website building tool. Beta users were offered the service at no cost, complete with the ability to use a custom domain if users let Google handle their MX record.

    The service evolved over the years and added more services, and in 2020 Google rebranded its online productivity offering as “Workspace”. Beta users got most of the updated offerings at no cost.

    Continue reading

Biting the hand that feeds IT © 1998–2022