The October 2020 Security Update Review

October is here and with it comes the latest security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of security patches for this month.

Adobe Patches for October 2020

Adobe released only one patch for October. It fixes a single vulnerability in Flash, which reaches it end-of-life (EOL) at the end of this year. The patch corrects a NULL pointer Dereference bug. These types of bugs rarely lead to security problems as they usually generate an immediate segmentation fault error. However, Adobe states this vulnerability can lead to an exploitable crash and result in code execution in the context of the current user. Considering Flash is so close to its EOL, there’s the possibility this is the last patch we see for the once ubiquitous media player.

Microsoft Patches for October 2020

For October, Microsoft released patches to correct 87 CVEs in Microsoft Windows, Office and Office Services and Web Apps, Azure Functions, Open Source Software, Exchange Server, Visual Studio, .NET Framework, Microsoft Dynamics, and the Windows Codecs Library. That ends the streak of more than 110 CVEs being fixed at seven months (March through September), but you’re not likely to hear any complaints. Microsoft is still on pace to double its CVE count from 2017, but hopefully, the last few months of 2020 will see this lighter load.

Of these 87 patches, 11 are listed as Critical while 75 are listed as Important, and one is listed as Moderate in severity. A total of 11 of these bugs came through the ZDI program. None of these bugs are listed as being under active attack, but six bugs are listed as publicly known at the time of release. Let’s take a closer look at some of the more severe bugs in this release, starting with a bug in the TCP/IP stack that is sure to get some notice:

-       CVE-2020-16898 – Windows TCP/IP Remote Code Execution Vulnerability
This patch corrects a problem in the TCP/IP stack caused by the way it handles ICMPv6 router advertisements. A specially crafted ICMPv6 router advertisement could cause code execution on an affected system. Since the code execution occurs in the TCP/IP stack, it is assumed the attacker could execute arbitrary code with elevated privileges. If you’re running an IPv6 network, you know that filtering router advertisements is not a practical workaround. Microsoft also gives this bug its highest exploitability rating, so exploits are likely. You should definitely test and deploy this patch as soon as possible.

-       CVE-2020-16947 - Microsoft Outlook Remote Code Execution Vulnerability
This vulnerability was reported through the ZDI program, and it could allow code execution on affected versions of Outlook just by viewing a specially crafted e-mail. The Preview Pane is an attack vector here, so you don’t even need to open the mail to be impacted. The specific flaw exists within the parsing of HTML content in an email. The issue results from the lack of proper validation of the length of user-supplied data before copying it to a fixed-length heap-based buffer. Although Microsoft gives this an XI rating of 2, we have a working proof-of-concept. Patch this one quickly.

-       CVE-2020-16891 - Windows Hyper-V Remote Code Execution Vulnerability
This patch corrects a bug that allows an attacker to run a specially crafted program on an affected guest OS to execute arbitrary code on the host OS. The write up doesn’t say at what permission level the code execution occurs, but that shouldn’t stop you from rolling this out to your Hyper-V servers quickly.

-       CVE-2020-16909 - Windows Error Reporting Elevation of Privilege Vulnerability
This is one of the six bugs listed as publicly known for this month. The patch corrects an escalation of privilege (EoP) in the Windows Error Reporting (WER) component that could allow an authenticated attacker to execute arbitrary code with escalated privileges. Although this CVE is not listed as being publicly exploited, bugs in this component have been reported as being used in the wild in fileless attacks. Regardless, this and the other bugs in the WER component being fixed this month should not be ignored.

Here’s the full list of CVEs released by Microsoft for October 2020. 

Of the remaining publicly known bugs, two are EoP bugs in the Windows Setup component and the Windows Storage VSP Driver. The remaining public bugs are information disclosure bugs in the kernel and .NET Framework. These info disclosure bugs leak the contents of kernel memory but do not expose any personally identifiable information.

Checking on the remaining Critical-rated bugs, two impact the Windows Camera Codec and were reported by ZDI vulnerability researcher Hossein Lotfi. These bugs result from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. Sticking with the media theme, there are also code execution bugs in Media Foundation Library, Base3D rendering engine, Graphics components, and GDI+. The final Critical-rated bugs are code execution vulnerabilities in SharePoint Server. In both cases, the attacker would need to upload a specially crafted SharePoint application package to an affected version of SharePoint to get arbitrary code execution. This can be accomplished by an unprivileged SharePoint user if the server’s configuration allows it.

Moving on to the Important-rated bugs, the first that pops out is a spoofing bug in Windows that could allow an attacker to loaded improperly signed files. This could also be considered a security feature bypass (SFB) since Windows is designed to only load files with valid signatures. A different bug that is listed as an SFB could allow an attacker to create files in a protected Unified Extensible Firmware Interface (UEFI) location. Another interesting SFB being fixed this month resides in Word when it improperly handles .LNK files. An attacker could perform actions in the context of whoever opens a specially crafted Word doc. While not arbitrary code execution, it certainly can be useful for attackers. A final SFB exists in PowerShell. This one could allow an attacker to bypass the Windows Defender Application Control (WDAC) policy and execute arbitrary code on a policy locked-down machine. 

Including the cases previously mentioned, there are 36 patches to address EoP bugs this month. While this is a lower number than some other months, it still represents 42.5% of the total release for October. In almost all of these cases, an attacker would need to log on to an affected system and run their application. Affected components include Office Click-to-Run, the Backup Service, Azure Functions, Dynamics 365, Group Policy, and Windows COM. Also getting an EoP patch is the Network Watcher Agent Virtual Machine Extension for Linux. However, to get this update, you’ll need to manually update the Network Watcher Agent virtual machine extensions. As someone who has been in the industry for a while, it’s still odd to see Microsoft release patches for Linux. It’s a welcome change.

Moving on to the Denial-of-Service (DoS) bugs, there are only five this month, and one of those is rated Moderate. However, there is a DoS in the TCP/IP similar to the RCE bug previously mentioned. In this case, malformed ICMPv6 Router Advertisements could cause a system to stop responding. Not quite as bad as code execution, but not good. There are also two DoS bugs in the Remote Desktop Protocol and Hyper-V server.

There are 15 information disclosure bugs receiving patches this month, including those previously mentioned. For the most part, the information leaked consists of unspecified memory contents. Not so for the info disclosure bug in Microsoft Exchange. This improper token validation bug could potentially leak IDs, tokens, nonces, and other sensitive information. According to the write-up, an attacker could exploit this by sending specially crafted OWA messages that could be loaded without warning or filtering. Information disclosure bugs can be easy to overlook, but don’t discount this one. Finally, this month’s release is rounded out by five cross-site scripting (XSS) bugs in Dynamics 365 (On-Premise) and SharePoint Server.

Looking at the advisories for October, the first is Microsoft’s version of the aforementioned patch for Flash in Internet Explorer. The other is the update to the Windows Servicing Stack, which adds updates for all supported versions of Windows.

Looking Ahead

The next Patch Tuesday falls on November 10, and we’ll return with details and patch analysis then. Until then, stay safe, enjoy your patching, and may all your reboots be smooth and clean!