Microsoft formally unveiled fixes for 87 newly found out security vulnerabilities as section of its November 2020 Patch Tuesday, like an actively exploited zero-day flaw disclosed by Google’s security crew final 7 days.
The rollout addresses a complete of 112 vulnerabilities, 17 of which are rated critical, at the time once more bringing the patch count over 110 right after a fall previous thirty day period.
The security updates encompass a selection of program, together with Microsoft Windows, Business and Place of work Services and Web Applications, Internet Explorer, Edge, ChakraCore, Exchange Server, Microsoft Dynamics, Windows Codecs Library, Azure Sphere, Windows Defender, Microsoft Teams, and Visual Studio.
Main between those preset is CVE-2020-17087 (CVSS score 7.8), a buffer overflow flaw in Windows Kernel Cryptography Driver (“cng.sys”) that was disclosed on Oct 30 by the Google Challenge Zero as getting used in conjunction with a Chrome zero-working day to compromise Windows 7 and Windows 10 buyers.
For its portion, Google launched an update for its Chrome browser to address the zero-day (CVE-2020-15999) final thirty day period.
Microsoft’s advisory about the flaw would not go into any particulars past the actuality that it was a “Windows Kernel Area Elevation of Privilege Vulnerability” in part to restructure security advisories in line with the Typical Vulnerability Scoring Method (CVSS) format starting this month.
Outdoors of the zero-day, the update fixes a range of distant code execution (RCE) vulnerabilities impacting Trade Server (CVE-2020-17084), Network File Technique (CVE-2020-17051), and Microsoft Teams (CVE-2020-17091), as properly as a security bypass flaw in Windows Hyper-V virtualization software (CVE-2020-17040).
CVE-2020-17051 is rated 9.8 out of a maximum 10 on the CVSS score, making it a critical vulnerability. Microsoft, however, noted that the attack complexity of the flaw — the conditions over and above the attacker’s control that must exist in get to exploit the vulnerability — is reduced.
As with the zero-day, the advisories affiliated with these security shortcomings are mild on descriptions, with very little to no info on how these RCE flaws are abused or which security function in Hyper-V is remaining bypassed.
Other critical flaws set by Microsoft this month consist of memory corruption vulnerabilities in Microsoft Scripting Engine (CVE-2020-17052) and Internet Explorer (CVE-2020-17053), and a number of RCE flaws in HEVC Video clip Extensions Codecs library.
It really is hugely proposed that Windows consumers and method directors apply the hottest security patches to take care of the threats linked with these issues.
To put in the most current security updates, Windows buyers can head to Commence > Options > Update & Security > Windows Update, or by selecting Test for Windows updates.
Identified this posting exciting? Abide by THN on Facebook, Twitter and LinkedIn to study a lot more special content we post.
Some pieces of this write-up are sourced from: