October 2020 Patch Tuesday has seen Microsoft issue patches to correct 87 flaws across its product range, including 11 Critical flaws and 75 Important vulnerabilities. An advisory has also been issued about a critical vulnerability in Adobe Flash Player.
This month’s round of updates includes fixes for six publicly disclosed vulnerabilities. Microsoft is unaware of any cases where the flaws have been exploited and all have been rated Important. The publicly disclosed flaws are two Windows Kernel information disclosure vulnerabilities (CVE-2020-16938 and CVE-2020-16901), a Windows Storage VSP Driver elevation of privilege vulnerability (CVE-2020-16885), a Windows Setup elevation of privilege vulnerability (CVE-2020-16908), a Windows Error Reporting elevation of privilege vulnerability (CVE-2020-16909), and a .NET Framework information disclosure vulnerability (CVE-2020-16937).
The critical flaws affect Windows, Outlook, SharePoint, and the Base3D rendering engine and all can lead to the remote execution of arbitrary code.
A serious flaw – CVE-2020-16898 – is present in the Windows TCP/IP stack which is due to how it handles ICMPv6 Router Advertisement packets. The flaw could be exploited on a server or client and could allow execution of arbitrary code. The flaw can be exploited remotely without authentication and is potentially wormable. The flaw has been assigned a CVSS v3 score of 9.8 out of 10. The patch should be applied as soon as possible.
The critical flaw in Outlook – tracked as CVE-2020-16947 – is particularly serious, as an attacker could exploit the flaw simply by sending a specially crafted email to a user. The user would not need to open the email in order for the flaw to be exploited as the attack vector is the Preview Pane. The flaw is due to how HTML content in the email is parsed and is due to a lack of proper validation of the length of user-supplied data before copying to a fixed-length heap-based buffer. The Zero Day Initiative already has a working proof-of-concept exploit for the vulnerability and exploits in the wild are expected to be used soon. The flaw has been assigned a CVSS v3 base score of 8.1, but despite the relatively low score, patching should be prioritized.
A critical Hyper-V flaw -CVE-2020-16891 – has been fixed. The flaw could be exploited by an attacker to run a specially crafted application on a vulnerable guest OS and execute arbitrary code. The flaw has been assigned a CVSS v3 score of 8.8. Two SharePoint flaws have been corrected – CVE-2020-16951 and CVE-2020-16952 – which are due to issues with checking the source markup of an application package, which could allow the execution of arbitrary code in the context of the SharePoint application pool or server farm account. Both have been assigned a CVSS v3 score of 8.6.
Two vulnerabilities have been patched that affect the Windows Camera Codec – CVE-2020-16967 and CVE-2020-16968 – both of which are due to insufficient validation of user-supplied data, resulting in the writing of data outside the allocated buffer. Both have been assigned a CVSS v3 score of 7.8.
A Windows Graphics Device Interface vulnerability – CVE-2020-16911 – rated 8.8, a Base3D rendering engine vulnerability – CVE-2020-17003 – rated 7.8, a Graphics components vulnerability – CVE-2020-16923 – rated 7.8, and a Media Foundation Library vulnerability – CVE-2020-16915 – rated 7.8, are the remaining critical flaws that have been patched this month.
Adobe Fixes Critical Flash Player Flaw
A remote code execution flaw has been discovered in Adobe Flash Player. Adobe reports that “Successful exploitation could lead to an exploitable crash, potentially resulting in arbitrary code execution in the context of the current user.”
The flaw could be exploited if an attacker inserts malicious strings into an HTTP response delivered over TLS. The flaw has been corrected in Adobe Flash Player version 126.96.36.1995 for Windows, macOS, and Chrome OS.
Adobe is unaware of any attempted exploitation in the wild and says the flaw is relatively difficult to exploit. Adobe does not expect the flaw to be exploited soon but updating to the latest version is recommended.
Users have been warned that Adobe will stop issuing updates for Adobe Flash on December 31, 2020. From the end of the year, the Adobe Flash Plugin will no longer be supported by browsers.