Microsoft emits 112 security hole fixes – including the cure for a Google-disclosed kernel vuln exploited in the wild

Android, Adobe, SAP, Red Hat join the bug-busting party


Patch Tuesday Microsoft published fixes for 112 software vulnerabilities for its November Patch Tuesday, 17 of which have been rated critical.

Of the remainder, 93 are rated important, and two are rated low severity.

Fifteen Microsoft products are affected, including: Microsoft Windows, Office, Internet Explorer, Edge (EdgeHTML and Chromium), ChakraCore, Exchange Server, Dynamics, Windows Codecs Library, Azure Sphere, Windows Defender, Teams, Azure SDK, Azure DevOps, and Visual Studio.

One of the fixed flaws is being actively exploited, the Windows Kernel Cryptography Driver vulnerability (CVE-2020-17087) disclosed by Google's Project Zero at the end of last month.

This elevation-of-privilege hole was abused in the wild together with CVE-2020-16009, a Chrome JavaScript engine remote-code execution flaw, to compromise victims' computers when they visited, say, malicious webpages. The CVE-2020-17087 driver bug was also exploited with CVE-2020-15999, a remote-code exec vulnerability in Chrome's font-parsing code, to also hijack targeted people's PCs. All three bugs are now patched; installing the latest software updates fixes them.

"One of the most notable fixes in this month’s release is for CVE-2020-17087, an elevation-of-privilege vulnerability in the Windows Kernel that was exploited in the wild as part of a vulnerability chain with CVE-2020-15999, a buffer-overflow vulnerability in the FreeType 2 library used by Google Chrome," Satnam Narang, staff research engineer at security biz Tenable told The Register.

"The elevation-of-privilege vulnerability was used to escape Google Chrome’s sandbox in order to elevate privileges on the exploited system. This is the second vulnerability chain involving a Google Chrome vulnerability and a Windows vulnerability that was exploited in the last year."

Rust in peace: Memory bugs in C and C++ code cause security issues so Microsoft is considering alternatives once again

READ MORE

Narang said the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI last month published a joint advisory warning that miscreants are chaining unpatched vulnerabilities together to compromise and gain access to targets. Indeed, judging from the above – and that Apple patched exploited-in-the-wild bugs, found by Google Project Zero, in its font parser and kernel code – one might assume someone highly skilled or some top-tier group has lately taken a particular interest in hijacking people's computers and devices via malicious webpages and documents.

Zero Day Initiative's Dustin Childs in a blog post observed the relatively high number of remote-code execution (RCE) bugs getting repaired this month.

"Beyond the Critical-rated ones already mentioned, the bug in Microsoft Teams stands out – simply because so many students are using Teams right now and may not be as security savvy as adults," Childs said. "It does require user interaction, so remind your kids not to click on links from strangers."

The Teams RCE bug, designated CVE-2020-17091, is only rated important.

In conjunction with its patch dump, Microsoft has redesigned how it presents vulnerability information in its online Security Update Guide. Redmond suggests its design change conveys vulnerability information more concisely. But Childs criticized the layout revision, stating that less information is now published, which makes it more difficult to assess the risks of various bugs.

Other companies posted their own lists of security shortcomings. Google published details about 20 Android flaws, plus bugs identified in MediaTek and Qualcomm components. Adobe, after firing off an out-of-band update last week, published two new bulletins. Intel published 36 security advisories. SAP is offering 12 new advisories alongside three updates to previous ones. Red Hat has released 21 security updates.

In all, it's enough to keep IT admins and users busy patching for a while. ®


Biting the hand that feeds IT © 1998–2020