November 2020 Patch Tuesday has seen Microsoft correct 112 vulnerabilities across its range of products, including 17 critical flaws. 93 of the vulnerabilities are rated important and two are rated low severity.
This month’s updates see a change to the way Microsoft reports the vulnerabilities, with the descriptions of each no longer included. Instead, Microsoft is relying on the CVSS scores to provide information on the severity of each of the vulnerabilities. The descriptions provided further information on the nature of the flaw and how they could be exploited.
The 17 critical vulnerabilities affect Azure Sphere (1), Microsoft Browsers (1), Microsoft Scripting Engine (3), Microsoft Windows (2), and the Microsoft Windows Codecs Library (10), and include 12 remote code execution vulnerabilities.
Included in the patches is the Windows kernel cryptography zero-day vulnerability – CVE-2020-17087 – reported to Microsoft by Google Project Zero. The privilege escalation flaw allows sandbox escape without user interaction. The bug could potentially lead to remote code execution, although user interaction would be required.
The bug was assigned a severity rating of 7.8 out of 10 (important) by Microsoft as local access to a server would be required to exploit the flaw. The vulnerability affects Windows 7 and later versions and Windows Server 2008 and later. At least one working PoC exploit has been released publicly and Google Project Zero has detected attacks exploiting the vulnerability, in conjunction with the CVE-2020-15999 flaw in Google Chrome. The Chrome vulnerability was patched by Google on October 20, 2020.
While only rated important, there are six vulnerabilities affecting Microsoft SharePoint, including three spoofing vulnerabilities, two information disclosure vulnerabilities, and a vulnerability that could lead to remote code execution. These vulnerabilities should be prioritized along with the critical flaws.
Adobe has also released patches to correct three vulnerabilities, all of which have been rated important and affect Adobe Reader for Android (1) and Adobe Connect (2).