Distant code execution vulnerabilities dominate this month’s security bulletin of warnings and patches.
Microsoft’s November Patch Tuesday roundup of security fixes tackled an unusually significant crop of remote code execution (RCE) bugs. Twelve of Microsoft’s 17 critical patches ended up tied to RCE bugs. In all, 112 vulnerabilities ended up patched by Microsoft, with 93 rated essential, and two rated very low in severity.
Tracked as CVE-2020-17087, a single Windows kernel regional elevation of privilege vulnerability was crimson-flagged by Microsoft as being actively exploited in the wild. Last week, the bug was disclosed by Google Project Zero, which reported the flaw was remaining exploited in the wild alongside a Google Chrome flaw (CVE-2020-15999) – which had been patched on Oct. 20.
Microsoft rated the vulnerability (CVE-2020-17087) as essential in severity, most likely because an attacker interested in exploiting the bug would have to have to have bodily obtain to the a variety of installs of Windows Server, Windows 10/RT/8.1/7 impacted by the flaw. In accordance to Google, the bug has to do with the way the Windows Kernel Cryptography Driver (cng.sys) procedures input/output manage (IOCTL) in a way that are unable to be expressed by regular system phone calls.
Most Severe
“One of the most critical vulnerabilities patched this Tuesday is CVE-2020-17051, a distant code execution (RCE) vulnerability discovered in Windows’ Network File Method (NFS),” wrote Chris Hass, director of information security and analysis at Automox, in his Patch Tuesday analysis.
He explained, the bug is especially relating to “because Windows’ NFS is essentially a client/server process that permits consumers to obtain files across a network and handle them as if they resided in a local file listing.”
“As you can imagine, with the functionality this services offers, attackers have been taking edge of it to achieve obtain to critical methods for a extended time. It will not be extended in advance of we see scanning of port 2049 raise more than the subsequent couple of times, with exploitation in the wild probable to abide by,” he wrote.
Automox researchers also instructed SysAdmins prioritize patches for a pair of critical memory corruption vulnerabilities in Microsoft’s Scripting Engine and Internet Explorer. Both of those (CVE-2020-17052, CVE-2020-17053) could lead to remote code execution.
“A very likely attack scenario would be to embed a malicious website link in a phishing email that the target would simply click to direct to a compromised landing web site hosting the exploit,” Hass wrote.
Descriptions Eradicated from Patch Tuesday Bulletin
For quite a few Patch-Tuesday veterans, it won’t go unnoticed that setting up with November’s bulletin Microsoft taken out the description section of the CVE overviews. The new technique was declared on Monday by the Microsoft Security Response Center. It describes a heavier reliance on the business common Frequent Vulnerability Scoring Technique (CVSS) to supply a lot more generalized vulnerability facts for Patch Tuesday security bulletins.
“This is a specific system that describes the vulnerability with characteristics this sort of as the attack vector, the complexity of the attack, no matter whether an adversary needs selected privileges, and so forth.,” Microsoft wrote.
For Zero Day Initiative’s Dustin Childs, the new method tends to make feeling. He said, in many instances, “an exact CVSS is truly all you have to have. Just after all, there’s only so much you can say about yet another SharePoint cross-web page scripting (XSS) bug or a neighborhood privilege escalation that involves you to log on and run a specifically crafted software. Even so, CVSS alone is not flawless.”
Hackers Set Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are receiving hammered by ransomware assaults in 2020. Save your location for this Totally free webinar on health care cybersecurity priorities and hear from leading security voices on how info security, ransomware and patching have to have to be a precedence for each individual sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, restricted-engagement webinar.
Some parts of this article are sourced from:
threatpost.com