Hear what Automox Patch Tuesday experts have to say about this month’s Patch Tuesday releases. You can view a full list of the latest patches and updates from Microsoft and other third-party applications in our Patch Tuesday Index.
November Overview
Jay Goodman - General Overview
After a slight downward trend in overall patches for October, Microsoft got right back into the swing of 2020 again with another tranche of patches and vulnerabilities to address. November brings patches to address 112 new vulnerabilities, with 17 critical vulnerabilities. This is yet another month with an unusually high number of remote code execution vulnerabilities. 2020 looks to close out the year with consistent delivery of new challenges across the board, and this month is no different. With both a heavy load of patches and critical, time-sensitive patches for both Chrome and Adobe products released out-of-band, IT teams will have their hands full putting out the fires.
Today’s Patch Tuesday package is sure to strain VPN infrastructure again and many organizations are likely to encounter VPN failures or downtime from legacy on-premises patch management tools buckling under the pressure. VPNs are not designed to extend the IT perimeter and with a large number of remote employees and devices, we are facing a situation where there is no functional perimeter for your organization. Many organizations committed to solving these problems in the short term by expanding their VPNs to meet the new demands for remote workforces. However, we are now seeing that these knee-jerk reactions are not able to continue to scale as organizations realize this change is no longer temporary. Organizations who went this route are now facing steep operational costs associated with the shift that will burden their IT budgets well into 2021 and beyond.
Nick Colyer, General Overview + Adobe Updates
Adobe issued bulletin APSB20-67 on November 3 covering 14 vulnerabilities in distribution across Adobe DC, Acrobat Reader DC, Acrobat 2020, Acrobat Reader 2020, Acrobat 2017, and Acrobat Reader 2017. A highlight for consideration are 3 critical vulnerabilities involving common weakness enumerations classed in use-after-free, out-of-bounds write, and heap-based buffer overflows. 11 additional vulnerabilities affect race conditions, out-of-bounds read, and signature-based CWE topics.
Attackers often look to capitalize on the curious clicks from end-users and subsequently achieve remote code execution. This is especially of note given the current political climate and should serve not only as a reminder to address technical controls in prioritizing patching for criticals CVE-2020-24435 // -24436, // -24430 // -24437, but also to stay vigilant in commitment to robust end-user cybersecurity awareness. Given recent nation-state malicious threat advisories from the Cybersecurity and Infrastructure Security Agency (CISA), it is advisable to complement this patch cycle with a phishing exercise relevant to current events.
Nick Colyer, Google Patches Chrome Zero-Day Vulnerabilities
Google has patched its third zero-day vulnerability in recent weeks across a variety of security issues concerning its browser, Google Chrome. CVE-2020-16010 is the most recent addressing a zero-day heap buffer overflow affecting Android UI components, CVE-2020-16009 affects heap corruption via maliciously crafted HTML page, and CVE-2020-15999 which involves a FreeType font-related vulnerability in association with maliciously crafted input. These vulnerabilities are currently being exploited in the wild paired with Microsoft CVE-2020-17087 (a Windows Kernel Cryptographic Driver vulnerability) and as such it is highly advisable to prioritize remediations, especially given the nature of web browsers as a function of exploitation vector for attackers and end-user productivity.
Critical Vulnerability Breakdown
Chris Hass - CVE-2020-17051
One of the most critical vulnerabilities patched this Tuesday is CVE-2020-17051, a remote code execution (RCE) vulnerability found in Windows’ Network File System. Windows’ NFS is essentially a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory. As you can imagine, with the functionality this service provides, attackers have been taking advantage of it to gain access to critical systems for a long time. It won’t be long before we see scanning of port 2049 increase over the next few days, with exploitation in the wild likely to follow.
Chris Hass - CVE-2020-17052, CVE-2020-17053
Microsoft patched CVE-2020-17052 and CVE-2020-17053, a pair of critical memory corruption vulnerabilities that could lead to remote code execution found in Microsoft’s Scripting Engine and Internet Explorer, respectively. While both vulnerabilities affect the network stack, user interaction is required.
A likely attack scenario would be to embed a malicious link in a phishing email that the victim would click to lead to a compromised landing page hosting the exploit. While Chrome still dominates the browser game, with the recent Mozilla layoffs Microsoft has picked up some new users, increasing the scope and number of active vulnerable browsers out there.
Jay Goodman - CVE-2020-17042 - Windows Print Spooler Remote Code Execution Vulnerability and CVE-2020-17078, CVE-2020-17079, CVE-2020-17082 - Microsoft Raw Image Extension Remote Code Execution Vulnerability
This month’s critical patches include a host of new remote code execution vulnerabilities to address across numerous Microsoft services and operating systems. To start with, CVE-2020-17042 is a remote code execution vulnerability in Windows Printer Spool. This service is very common amongst Windows operating systems. The vulnerability impacts every version of the Microsoft OS back to 8.1, including the Windows Server builds.
Additional remote code execution vulnerabilities were found in the Microsoft Raw Image Extension (CVE-2020-17078, CVE-2020-17079, and CVE-2020-17082). Raw Image Extension is a small but useful add-on for the Microsoft Photos app, which brings support for RAW image files that are commonly used by photographers. These remote code execution vulnerabilities allow attackers to access a system and read or delete contents, make changes, or directly run code on the system.
This gives an attacker quick and easy access to not only your organization’s data but also a platform to perform additional malicious attacks against other devices in your environment. Services like LNK and VBScript as well as .NET Framework are extremely common across many Windows systems. This gives attackers a plethora of potential targets to compromise and move laterally from once access is gained.
Nick Colyer - CVE-2020-17106 // -17107 // -17108 // -17109 // -17110 - HEVC Video Extensions Remote Code Execution Vulnerability
CVE-2020-17106, 17107, 17108, 17109, 17110 are all critical remote code execution vulnerabilities affecting Microsoft HEVC Video Extensions. These vulnerabilities do not affect default Windows 10 installations rather impacting only systems that have installed the optional “HEVC from Device Manufacturer” codecs via the official Microsoft Store. Due to the fact that HEVC Video Extensions are not native to default Windows installations and user interaction is required, exploitability is considered less likely.
Critical remote code execution vulnerabilities are some of the most serious to consider prioritizing, especially when maturing organizations lack automated patch management tooling. It is advisable in these instances as well as when organizations require the use of HEVC codec support, to elevate the priority for addressing these in their environment to reduce threat surface and improve overall security posture.
To see all the latest details and advice on this month’s Patch Tuesday, check out the Automox Patch Tuesday Rapid Response Center.
About Automox Automated Patch Management
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, macOS, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.