Microsoft emits 112 security hole fixes – including the cure for a Google-disclosed kernel vuln exploited in the wild • The Register


Patch Tuesday Microsoft revealed fixes for 112 Software program vulnerabilities for its November Patch Tuesday, 17 of which have been rated crucial.

Of the rest, 93 are rated essential, and two are rated low severity.

Fifteen Microsoft merchandise are affected, together with: Microsoft Home windows Workplace, Web Explorer, Edge (EdgeHTML and Chromium), ChakraCore, Trade Server, Dynamics, Home windows Codecs Library, Azure Sphere, Home windows Defender, Groups, Azure SDK, Azure DevOps, and Visible Studio.

One of many mounted flaws is being actively exploited, the Home windows Kernel Cryptography Driver vulnerability (CVE-2020-17087) disclosed by Google’s Mission Zero on the finish of final month.

This elevation-of-privilege gap was abused within the wild along with CVE-2020-16009, a Chrome JavaScript engine remote-code execution flaw, to compromise victims’ computer systems once they visited, say, malicious webpages. The CVE-2020-17087 driver bug was additionally exploited with CVE-2020-15999, a remote-code exec vulnerability in Chrome’s font-parsing code, to additionally hijack focused folks’s PCs. All three bugs are actually patched; putting in the most recent software program updates fixes them.

“One of the notable fixes on this month’s launch is for CVE-2020-17087, an elevation-of-privilege vulnerability within the Home windows Kernel that was exploited within the wild as a part of a vulnerability chain with CVE-2020-15999, a buffer-overflow vulnerability within the FreeType 2 library utilized by Google Chrome ” Satnam Narang, workers analysis engineer at safety biz Tenable informed The Register.

“The elevation-of-privilege vulnerability was used to flee Google Chrome’s sandbox with the intention to elevate privileges on the exploited system. That is the second vulnerability chain involving a Google Chrome vulnerability and a Home windows vulnerability that was exploited within the final yr.”

Rust in peace: Reminiscence bugs in C and C++ code trigger safety points so Microsoft is contemplating alternate options as soon as once more


Narang mentioned the Cybersecurity and Infrastructure Safety Company (CISA) and the FBI final month revealed a joint advisory warning that miscreants are chaining unpatched vulnerabilities collectively to compromise and achieve entry to targets.

Zero Day Initiative’s Dustin Childs in a weblog submit noticed the comparatively excessive variety of remote-code execution (RCE) bugs getting repaired this month.

“Past the Crucial-rated ones already talked about, the bug in Microsoft Groups stands out – just because so many college students are utilizing Groups proper now and might not be as safety savvy as adults,” Childs mentioned. “It does require person interplay, so remind your youngsters to not click on on hyperlinks from strangers.”

The Groups RCE bug, designated CVE-2020-17091, is barely rated essential.

Together with its patch dump, Microsoft has redesigned the way it presents vulnerability info in its on-line Safety Replace Information. Redmond suggests its design change conveys vulnerability info extra concisely. However Childs criticized the structure revision, stating that much less info is now revealed, which makes it harder to evaluate the dangers of varied bugs.

Different corporations posted their very own lists of safety shortcomings. Google revealed particulars about 20 Android flaws, plus bugs recognized in MediaTek and Qualcomm elements. Adobe, after firing off an out-of-band replace final week, revealed two new bulletins. Intel revealed 36 safety advisories. SAP is providing 12 new advisories alongside three updates to earlier ones. Pink Hat has launched 21 safety updates.

In all, it is sufficient to maintain IT admins and customers busy patching for some time. ®

You May Also Like