This article is more than 1 year old

It's 2020 and a rogue ICMPv6 network packet can pwn your Microsoft Windows machine

Redmond urges folks to apply update ASAP – plus more fixes for Outlook and software from Adobe, Intel, SAP, Red Hat

Patch Tuesday Microsoft's Update Tuesday patch dump for October 2020 has delivered security patches that attempt to address 87 CVEs for a dozen Redmond products.

Nadella's security crew has identified 22 remote code execution (RCE) CVEs though the most worrisome looks like CVE-2020-16898, Windows TCP/IP RCE, which is rated 9.8 out 10 in severity. It affects Windows desktop and server systems.

According to Microsoft, the Windows TCP/IP stack doesn't properly handle ICMPv6 Router Advertisement packets. Thus someone could send a vulnerable machine a maliciously crafted IPv6 packet over the network to inject and execute code on the box, and ultimately hijack it – presumably with kernel-level privileges. Here's the worrying blurb from Redmond:

A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client.

To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.

The update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets.

Microsoft said exploitation is likely, and a workaround is available for Windows build 1709 and above. You're urged to patch this ASAP, though.

"Since the code execution occurs in the TCP/IP stack, it is assumed the attacker could execute arbitrary code with elevated privileges," said Zero Day Initiative's Dustin Childs in a summary of today's patches.

"If you’re running an IPv6 network, you know that filtering router advertisements is not a practical workaround. Microsoft also gives this bug its highest exploitability rating, so exploits are likely. You should definitely test and deploy this patch as soon as possible."

Speaking of bad bugs, Hyper-V has a nasty guest-application-to-host-server escape (CVE-2020-16891) that you ought to patch.

CVE-2020-16947, a Microsoft Outlook RCE, also looks like it could pose problems. Rated with a CVSS score of 8.1/10, this memory handling flaw could allow an attacker to send a user with admin rights a specially crafted file and take over the system, if the preview pane is open.

"The specific flaw exists within the parsing of HTML content in an email," explained Childs. "The issue results from the lack of proper validation of the length of user-supplied data before copying it to a fixed-length heap-based buffer."

A total of 11 flaws are designated critical, 75 rate moderate, and one is merely important. Six of them have already been publicly disclosed.

Affected applications include:

  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • Microsoft JET Database Engine
  • Azure Functions
  • Azure Sphere
  • Open Source Software
  • Microsoft Exchange Server
  • Visual Studio
  • PowerShellGet
  • Microsoft .NET Framework
  • Microsoft Dynamics
  • Microsoft Windows Codecs Library

The 88th entry on Microsoft's list is an advisory for Adobe Flash Player for Windows, which along with the versions for macOS, Linux and Chrome OS, contains a critical arbitrary code execution flaw (CVE-2020-9746).

Exploitation of the vulnerability "requires an attacker to insert malicious strings in an HTTP response that is by default delivered over TLS/SSL," according to Adobe.


The seven deadly sins letting hackers hijack America's govt networks: These unpatched bugs leave systems open


Users should install Adobe Flash Player on the applicable operating system and enjoy whatever time they have left with the app – Adobe plans to stop distributing Flash Player on December 31, 2020.

Enterprise software vendor SAP also delivered parcel of patches – 15 plus six additional patches to previous patches.

The most serious of these is an OS command injection vulnerability (CVE-2020-6364) affecting SAP Solution Manager (CA Introscope Enterprise Manager) and SAP Focused Run (CA Introscope Enterprise Manager), Versions - WILY_INTRO_ENTERPRISE 9.7, 10.1, 10.5, 10.7. The bug rates 10 out of 10 in severity.

Intel released one security advisory covering three vulnerabilities in the BlueZ open-source Bluetooth stack. These high severity flaws could lead to privilege escalation and information disclosure. The fixes involve a Linux kernel update.

Red Hat meanwhile issued a security advisory for the Chromium browser in various Red Hat Enterprise Linux 6 packages. It addresses 35 fixes delivered by Google last week.

On the bright side, 87 CVEs is significantly less than the 129 Microsoft addressed in September. ®

More about


Send us news

Other stories you might like