Remote code execution vulnerabilities dominate this month’s security bulletin of warnings and patches.
Microsoft’s November Patch Tuesday roundup of security fixes tackled an unusually large crop of distant code execution (RCE) bugs. Twelve of Microsoft’s 17 critical patches have been tied to RCE bugs. In all, 112 vulnerabilities were patched by Microsoft, with 93 rated essential, and two rated minimal in severity.
Tracked as CVE-2020-17087, a person Windows kernel regional elevation of privilege vulnerability was red-flagged by Microsoft as staying actively exploited in the wild. Past 7 days, the bug was disclosed by Google Challenge Zero, which claimed the flaw was getting exploited in the wild together with a Google Chrome flaw (CVE-2020-15999) – which had been patched on Oct. 20.
Microsoft rated the vulnerability (CVE-2020-17087) as critical in severity, likely simply because an attacker fascinated in exploiting the bug would will need to have actual physical access to the many installs of Windows Server, Windows 10/RT/8.1/7 impacted by the flaw. In accordance to Google, the bug has to do with the way the Windows Kernel Cryptography Driver (cng.sys) procedures enter/output handle (IOCTL) in a way that can not be expressed by frequent technique phone calls.
“One of the most critical vulnerabilities patched this Tuesday is CVE-2020-17051, a distant code execution (RCE) vulnerability found in Windows’ Network File Program (NFS),” wrote Chris Hass, director of details security and research at Automox, in his Patch Tuesday examination.
He explained, the bug is particularly about “because Windows’ NFS is effectively a consumer/server procedure that will allow people to obtain data files across a network and handle them as if they resided in a local file directory.”
“As you can imagine, with the functionality this assistance provides, attackers have been getting advantage of it to attain access to critical systems for a long time. It won’t be extended in advance of we see scanning of port 2049 raise in excess of the subsequent several days, with exploitation in the wild very likely to follow,” he wrote.
Automox scientists also instructed SysAdmins prioritize patches for a pair of critical memory corruption vulnerabilities in Microsoft’s Scripting Engine and Internet Explorer. Both of those (CVE-2020-17052, CVE-2020-17053) could lead to distant code execution.
“A possible attack scenario would be to embed a destructive connection in a phishing email that the target would click on to lead to a compromised landing webpage hosting the exploit,” Hass wrote.
Descriptions Taken off from Patch Tuesday Bulletin
For quite a few Patch-Tuesday veterans, it will not go unnoticed that setting up with November’s bulletin Microsoft taken out the description section of the CVE overviews. The new technique was introduced on Monday by the Microsoft Security Response Middle. It describes a heavier reliance on the sector conventional Prevalent Vulnerability Scoring Procedure (CVSS) to deliver extra generalized vulnerability details for Patch Tuesday security bulletins.
“This is a precise technique that describes the vulnerability with attributes these types of as the attack vector, the complexity of the attack, no matter whether an adversary requirements certain privileges, and many others.,” Microsoft wrote.
For Zero Day Initiative’s Dustin Childs, the new tactic tends to make feeling. He stated, in numerous circumstances, “an exact CVSS is genuinely all you need. Immediately after all, there is only so considerably you can say about a different SharePoint cross-web site scripting (XSS) bug or a community privilege escalation that calls for you to log on and run a specially crafted method. Even so, CVSS alone is not flawless.”
Tenable’s chief security officer, Bob Huber was not as generous. ”
“Microsoft’s decision to get rid of CVE description data from its Patch Tuesday release is a bad shift, plain and very simple. By relying on CVSSv3 ratings by yourself, Microsoft is removing a ton of useful vulnerability facts that can assist advise corporations of the enterprise risk a certain flaw poses to them,” he wrote.
He argued that the new format was a blow to security and boon to adversaries. “End-end users [will be] fully blind to how a distinct CVE impacts them. What’s more, this will make it just about not possible to ascertain the urgency of a given patch. It’s tricky to recognize the gains to conclusion-customers.”
Huber included: “However, it’s not far too tough to see how this new structure advantages bad actors. They’ll reverse engineer the patches and, by Microsoft not staying express about vulnerability aspects, the advantage goes to attackers, not defenders. With no the good context for these CVEs, it results in being increasingly hard for defenders to prioritize their remediation endeavours.”
Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are finding hammered by ransomware attacks in 2020. Save your place for this Cost-free webinar on health care cybersecurity priorities and listen to from primary security voices on how info security, ransomware and patching have to have to be a priority for each individual sector, and why. Sign up for us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.
Some sections of this report are sourced from: