Microsoft has released fixes for 112 vulnerabilities, which includes an actively-exploited zero-day flaw, as part of its November 2020 Patch Tuesday,
Of the 112 vulnerabilities mounted, 17 were categorised as ‘critical’, 93 as ‘important’, and two as ‘moderate’.
Amongst the fixes issued by Microsoft was a patch for a zero-day privilege escalation vulnerability in the Windows Kernel Cryptography Driver (cng.sys), tracked below CVE-2020-17087.
In accordance to Tenable employees research engineer Satnam Narang, CVE-2020-17087 was “exploited in the wild as part of a vulnerability chain with CVE-2020-15999, a buffer overflow vulnerability in the FreeType 2 library employed by Google Chrome”.
“The elevation of privilege vulnerability was used to escape Google Chrome’s sandbox in get to elevate privileges on the exploited procedure. This is the next vulnerability chain involving a Google Chrome vulnerability and a Windows vulnerability that was exploited in the previous calendar year,” he stated.
Narang included that “chaining vulnerabilities is an critical tactic for menace actors”.
“The Cybersecurity and Infrastructure Security Company (CISA) printed a joint advisory with the FBI last month that highlighted danger actors chaining unpatched vulnerabilities to attain first access into a concentrate on atmosphere and elevate privileges.
“Even nevertheless Google and Microsoft have now patched these flaws, it is very important for companies to guarantee they’ve applied these patches before danger actors commence to leverage them more broadly.”
Microsoft was also criticised for eradicating CVE description data from its Patch Tuesday release. Tenable CSO Bob Huber explained the determination as a “bad transfer, plain and simple”, incorporating that “by relying on CVSSv3 rankings on your own, Microsoft is removing a ton of important vulnerability details that can support tell organizations of the business enterprise risk a unique flaw poses to them”.
“Although I take pleasure in that they are adopting the business-typical format in CVSSv3, Microsoft also will have to look at that numerous people who critique Patch Tuesday releases aren’t security practitioners. They are the IT counterparts liable for truly applying the updates who typically are not capable (and should not have to) decipher uncooked CVSS data,” stated Huber.
Adobe has also introduced a smaller security update to resolve vulnerabilities in Link and Reader Cell. This arrives just days after the software service provider urged Windows and macOS buyers to update their Acrobat and Reader apps just after identifying that they contained flaws that could be exploited to execute arbitrary code.
Some elements of this post are sourced from: