Hear what Automox Patch Tuesday experts have to say about this month’s Patch Tuesday releases. You can view a full list of the latest patches and updates from Microsoft and other third-party applications in our Patch Tuesday Index.
October Overview
Justin Knapp, General Overview
While October’s Patch Tuesday presents us with a lighter load than what we’ve grown accustomed to over the course of 2020, we still have 89 Microsoft patches and a bevy of critical RCE vulnerabilities to contend with this month. With Zerologon stealing the spotlight the last several weeks, we now shift our attention to 11 new critical vulnerabilities while emphasizing the potential significance of a TCP/IP related flaw that’s considered more likely to be exploited. This may not be a record-breaking month in terms of overall quantity, but October poses a familiar challenge that continues to persist in the form of delayed patch deployment, unfortunately increasing risk at a time when attack frequency is going up. With remote work complicating matters further, we’re witnessing a major shift within the IT landscape to lean on cloud-based solutions for distribution just to keep pace with the endless flow of updates across an increasingly distributed workforce.
Jay Goodman, Windows Updates
It continues to be a spooky year as organizations are faced with yet another scary pile of vulnerabilities from Microsoft. This month adds another 89 vulnerabilities, including 11 critical vulnerabilities. The only saving grace is that this marks the first month in nearly a year with less than 100 vulnerabilities. Cleanly addressing and patching these vulnerabilities continues to be critical for organizations to keep their endpoints protected. Again, an absence of zero-day vulnerabilities gives a bit of breathing room, however organizations should still strive to patch the critical vulnerabilities within that 72 hour window. This month does include a highly pervasive vulnerability within the TCP/IP stack that could allow remote code execution and should be addressed quickly.
Nicholas Colyer, Adobe Updates
This month Adobe issued bulletin APSB20-58 for a NULL pointer dereference vulnerability leading to remote code execution in Adobe Flash Player. Platforms impacted include Windows RT, Server 2012, Server 2012 R2, Server 2016, Server 2019, and Windows 10 for 32-bit and 64-bit flavors across various build versions. As is typically the case for Flash Player vulnerabilities, web-based exploitation is the primary vector of exploitation but not the only one. These vulnerabilities can also be exploited through an embedded ActiveX control in a Microsoft Office document or any application that uses the IE rendering engine.
As a security best practice, remediation of commonly exploitable or recurring threat vectors is always strongly encouraged. For organizations that cannot remove Adobe Flash due to a business-critical function, it is recommended to mitigate the threat potential of these vulnerabilities by preventing Adobe Flash Player from running altogether via the killbit feature, set a Group Policy to turn off instantiation of Flash objects, or limit trust center settings prompting for active scripting elements.
Chris Hass, Why Remote Code Execution (RCE) Is So Common and Impactful
While the number of vulnerabilities patched by Microsoft is a bit lighter this month than the last few months, the number of RCEs still stays somewhat steady. This presents a challenge to IT Ops and Sec Ops teams to patch these RCEs as soon as possible.
Remote Code Execution Vulnerabilities provide an attacker with initial access to a system without any user action; the latter is often the most important. Unlike a malicious attachment in a phishing email, or trojan horse that you downloaded when trying to install a Minecraft mod, all the attacker needs to do is find an unpatched system, send the exploit and wait for the vulnerable system to give them access.
Once that attacker has access to the system, there are numerous ways the attacker could do damage. They could exfiltrate sensitive data, escalate privilege, propagate to additional systems on the network to gain a larger foothold in the organization, or even drop ransomware and force the system’s owner to pay to get access back.
Critical Vulnerability Breakdown
Nicholas Colyer - CVE-2020-16947 - Microsoft Outlook Remote Code Execution Vulnerability
CVE-2020-16947 is a critical remote code execution vulnerability attributed to improper memory handling within Microsoft Office. Successful exploitation of this vulnerability allows arbitrary code execution in the context of the System privileged user via a maliciously crafted email. While exploitability is expected to be less likely, the “Preview Pane” feature of Outlook is a listed attack vector. Given the prevalence of email and past precedent of weaponization for this type of vulnerability, it is recommended to patch immediately.
Nicholas Colyer - CVE-2020-16951 // -16952 - Microsoft SharePoint Remote Code Execution Vulnerability
CVE-2020-16951 and 16952 are critical remote code execution vulnerabilities in Microsoft SharePoint due to a validation failure of application package source markup. Successful exploitation requires a maliciously crafted SharePoint application package to be uploaded to a vulnerable instance, resulting in arbitrary code execution in the context of the SharePoint application pool and server farm account, respectively. This vulnerability is less likely to be exploited, especially where role-based access control has been implemented with adherence to the principle of least privilege.
Nicholas Colyer - CVE-2020-16896 - Windows Remote Desktop Protocol
CVE-2020-16896 is an information disclosure vulnerability in Windows Remote Desktop Protocol attributable to the manner in which RDP handles connection requests. Successful exploitation requires a maliciously crafted request to an affected system providing an attacker with read-only access to the Windows RDP server process on the remote host. The exploit itself does not provide for remote code execution but could be leveraged for additional information gathering in support of further attack and possible system compromise. There are several workarounds published, including enabling Network Level Authentication (NLA), and blocking TCP 3389 at perimeter firewalls to limit exposure. It is officially recommended to patch this vulnerability as soon as possible, given its higher likelihood to be exploited.
Chris Hass - CVE-2020-16898 - Windows TCP/IP Remote Code Execution Vulnerability
CVE-2020-16898 and CVE-2020-16899 are a couple of highly impactful vulnerabilities patched this month.
CVE-2020-16898, a Critical Remote Code Execution bug, found in Windows TCP/IP stack, can be exploited when the stack improperly handles ICMPv6 Router Advertisement packets. ICMPv6 is an integral part of IPv6 and performs error reporting and diagnostic functions, commonly implemented when someone issues the ping command from a terminal or command prompt. If successfully exploited, the attacker would gain the ability to execute code on the target server or client.
CVE-2020-16899 is a vulnerability found in the same Windows TCP/IP stack; however, an attacker could leverage this vulnerability to perform a Denial of Service attack, bringing new meaning to the term “ping of death.” Both vulnerabilities have been deemed more likely to be exploited. The only good news is that Microsoft’s internal security team unearthed the vulnerabilities, meaning PoC code likely won’t surface until someone reverse engineers the patch and discovers the source of these vulnerabilities.
Nevertheless, CVE-2020-16898 and CVE-2020-16899 should be patched as soon as possible.
Jay Goodman - CVE-2020-16967, -16968 Windows Codecs Remote Code Execution
CVE-2020-16967 and 16968 are remote code execution vulnerabilities identified in the Windows Camera Codec Pack. These vulnerabilities exploit how the codecs handle objects in memory and can lead to remote code execution. Windows Camera Codec Pack is present in most builds of Windows 10. Malicious actors can use this vulnerability to take control of an affected system, install programs, view or change data, or create new user accounts with full user rights. Remote code execution vulnerabilities are particularly nefarious given that they enable attackers to directly run malicious code on the exploited systems.
To see all the latest details and advice on this month’s Patch Tuesday, check out the Automox Patch Tuesday Rapid Response Center.
About Automox Automated Patch Management
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, macOS, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.