November is here and with it comes the latest security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of security patches for this month.
Adobe Patches for November 2020
Adobe kicked off their November patch cycle a bit early by releasing an update for Acrobat and Reader last Tuesday. The patch fixes 14 CVEs, four of which were reported through the ZDI program. Four of these CVEs are rated as Critical and could lead to code execution if a user opened a specially crafted PDF.
Today, Adobe released patches for Reader for Android and Connect fixing three total CVEs. The update for Reader for Android fixes an info disclosure bug. The two CVEs addressed by the Connect patch cover reflective cross-site scripting (XSS) bugs. None of the CVEs fixed by Adobe this or last week were listed as publicly known or under active attack at the time of release.
Microsoft Patches for November 2020
For November, Microsoft released patches to correct 112 CVEs in Microsoft Windows, Office and Office Services and Web Apps, Internet Explorer (IE), Edge (EdgeHTML-based and Chromium-based), ChakraCore, Exchange Server, Microsoft Dynamics, Azure Sphere, Windows Defender, Microsoft Teams, and Visual Studio. After a brief dip in October, we’re back into the 110+ CVEs per month volume of patches again. That makes eight months this year with this level of patches, so we really need to think of this as the new normal.
Of these 112 patches, 17 are rated as Critical, 93 are rated as Important, and two are rated Low in severity. A total of six of these bugs came through the ZDI program. Only one bug is listed as publicly known and under active attack. You’ll notice some big changes in the documentation for this month’s release (see below for details). Microsoft has decided to withhold the amount of information it publishes about the bugs being patched. Consequently, you’ll see less detail in this blog as well. We’ll still do what we can to parse the release with what data Microsoft does publish and our deep knowledge of bug reports. We do see quite a few of them. Let’s begin take a closer look at some of the more severe bugs in this release, starting with the bug currently being exploited:
- CVE-2020-17087 - Windows Kernel Local Elevation of Privilege Vulnerability
This privilege escalation bug was publicly disclosed by Google in late October. They noted it was combined with a Chrome bug to escape the browser sandbox and execute code on the target system. While not explicitly stated, the language used makes it seem the exploit is not yet widespread. However, considering there is a full analysis of the bug weeks before the patch, it will likely be incorporated into other exploits quickly.
- CVE-2020-17084 - Microsoft Exchange Server Remote Code Execution Vulnerability
This patch corrects a code execution bug in Exchange that was reported by Pwn2Own Miami winner Steven Seeley. With no details provided by Microsoft, we can only assume this is the bypass of CVE-2020-16875 he had previously mentioned. It is very likely he will his publish the details of these bugs soon. Microsoft rates this as Important, but I would treat it as Critical, especially since people seem to find it hard to patch Exchange at all.
- CVE-2020-17051 - Windows Network File System Remote Code Execution Vulnerability
With no description to work from, we need to rely on the CVSS to provide clues about the real risk from this bug. At a 9.8, it’s about as critical as a bug can get. Considering this is listed as no user interaction with low attack complexity, and considering NFS is a network service, you should treat this as wormable until we learn otherwise.
- CVE-2020-17040 - Windows Hyper-V Security Feature Bypass Vulnerability
Here’s another bug that could be helped by a description. It’s not clear which security feature in Hyper-V is being bypassed or how an attacker can abuse it. Again, the attack complexity is low, authentication is not required, and there is no user interaction. Additional details are needed to accurately judge the risk from this bug, but the title and CVSS values alone put this bug on everyone’s radar.
Here’s the full list of CVEs released by Microsoft for November 2020.
|CVE-2020-17087||Windows Kernel Local Elevation of Privilege Vulnerability||Important||Yes||Yes||EoP|
|CVE-2020-17105||AV1 Video Extension Remote Code Execution Vulnerability||Critical||No||No||RCE|
|CVE-2020-16988||Azure Sphere Elevation of Privilege Vulnerability||Critical||No||No||EoP|
|CVE-2020-17048||Chakra Scripting Engine Memory Corruption Vulnerability||Critical||No||No||RCE|
|CVE-2020-17101||HEIF Image Extensions Remote Code Execution Vulnerability||Critical||No||No||RCE|
|CVE-2020-17106||HEVC Video Extensions Remote Code Execution Vulnerability||Critical||No||No||RCE|
|CVE-2020-17107||HEVC Video Extensions Remote Code Execution Vulnerability||Critical||No||No||RCE|
|CVE-2020-17108||HEVC Video Extensions Remote Code Execution Vulnerability||Critical||No||No||RCE|
|CVE-2020-17109||HEVC Video Extensions Remote Code Execution Vulnerability||Critical||No||No||RCE|
|CVE-2020-17110||HEVC Video Extensions Remote Code Execution Vulnerability||Critical||No||No||RCE|
|CVE-2020-17053||Internet Explorer Memory Corruption Vulnerability||Critical||No||No||RCE|
|CVE-2020-17058||Microsoft Browser Memory Corruption Vulnerability||Critical||No||No||RCE|
|CVE-2020-17078||Raw Image Extension Remote Code Execution Vulnerability||Critical||No||No||RCE|
|CVE-2020-17079||Raw Image Extension Remote Code Execution Vulnerability||Critical||No||No||RCE|
|CVE-2020-17082||Raw Image Extension Remote Code Execution Vulnerability||Critical||No||No||RCE|
|CVE-2020-17052||Scripting Engine Memory Corruption Vulnerability||Critical||No||No||RCE|
|CVE-2020-17051||Windows Network File System Remote Code Execution Vulnerability||Critical||No||No||RCE|
|CVE-2020-17042||Windows Print Spooler Remote Code Execution Vulnerability||Critical||No||No||RCE|
|CVE-2020-1325||Azure DevOps Server and Team Foundation Services Spoofing Vulnerability||Important||No||No||Spoof|
|CVE-2020-16986||Azure Sphere Denial of Service Vulnerability||Important||No||No||DoS|
|CVE-2020-16981||Azure Sphere Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-16989||Azure Sphere Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-16992||Azure Sphere Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-16993||Azure Sphere Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-16985||Azure Sphere Information Disclosure Vulnerability||Important||No||No||Info|
|CVE-2020-16990||Azure Sphere Information Disclosure Vulnerability||Important||No||No||Info|
|CVE-2020-16983||Azure Sphere Tampering Vulnerability||Important||No||No||Tampering|
|CVE-2020-16970||Azure Sphere Unsigned Code Execution Vulnerability||Important||No||No||RCE|
|CVE-2020-16982||Azure Sphere Unsigned Code Execution Vulnerability||Important||No||No||RCE|
|CVE-2020-16984||Azure Sphere Unsigned Code Execution Vulnerability||Important||No||No||RCE|
|CVE-2020-16987||Azure Sphere Unsigned Code Execution Vulnerability||Important||No||No||RCE|
|CVE-2020-16991||Azure Sphere Unsigned Code Execution Vulnerability||Important||No||No||RCE|
|CVE-2020-16994||Azure Sphere Unsigned Code Execution Vulnerability||Important||No||No||RCE|
|CVE-2020-17054||Chakra Scripting Engine Memory Corruption Vulnerability||Important||No||No||RCE|
|CVE-2020-16998||DirectX Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-17049||Kerberos Security Feature Bypass Vulnerability||Important||No||No||SFB|
|CVE-2020-17090||Microsoft Defender for Endpoint Security Feature Bypass Vulnerability||Important||No||No||SFB|
|CVE-2020-17005||Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability||Important||No||No||XSS|
|CVE-2020-17006||Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability||Important||No||No||XSS|
|CVE-2020-17018||Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability||Important||No||No||XSS|
|CVE-2020-17021||Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability||Important||No||No||XSS|
|CVE-2020-17019||Microsoft Excel Remote Code Execution Vulnerability||Important||No||No||RCE|
|CVE-2020-17064||Microsoft Excel Remote Code Execution Vulnerability||Important||No||No||RCE|
|CVE-2020-17065||Microsoft Excel Remote Code Execution Vulnerability||Important||No||No||RCE|
|CVE-2020-17066||Microsoft Excel Remote Code Execution Vulnerability||Important||No||No||RCE|
|CVE-2020-17067||Microsoft Excel Security Feature Bypass Vulnerability||Important||No||No||SFB|
|CVE-2020-17085||Microsoft Exchange Server Denial of Service Vulnerability||Important||No||No||DoS|
|CVE-2020-17083||Microsoft Exchange Server Remote Code Execution Vulnerability||Important||No||No||RCE|
|CVE-2020-17084||Microsoft Exchange Server Remote Code Execution Vulnerability||Important||No||No||RCE|
|CVE-2020-17062||Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability||Important||No||No||RCE|
|CVE-2020-17063||Microsoft Office Online Spoofing Vulnerability||Important||No||No||Spoof|
|CVE-2020-17081||Microsoft Raw Image Extension Information Disclosure Vulnerability||Important||No||No||Info|
|CVE-2020-17086||Microsoft Raw Image Extension Information Disclosure Vulnerability||Important||No||No||Info|
|CVE-2020-16979||Microsoft SharePoint Information Disclosure Vulnerability||Important||No||No||Info|
|CVE-2020-17017||Microsoft SharePoint Information Disclosure Vulnerability||Important||No||No||Info|
|CVE-2020-17061||Microsoft SharePoint Remote Code Execution Vulnerability||Important||No||No||RCE|
|CVE-2020-17016||Microsoft SharePoint Spoofing Vulnerability||Important||No||No||Spoof|
|CVE-2020-17060||Microsoft SharePoint Spoofing Vulnerability||Important||No||No||Spoof|
|CVE-2020-17091||Microsoft Teams Remote Code Execution Vulnerability||Important||No||No||RCE|
|CVE-2020-17020||Microsoft Word Security Feature Bypass Vulnerability||Important||No||No||SFB|
|CVE-2020-17000||Remote Desktop Protocol Client Information Disclosure Vulnerability||Important||No||No||Info|
|CVE-2020-16997||Remote Desktop Protocol Server Information Disclosure Vulnerability||Important||No||No||Info|
|CVE-2020-17104||Visual Studio Code JSHint Extension Remote Code Execution Vulnerability||Important||No||No||RCE|
|CVE-2020-17100||Visual Studio Tampering Vulnerability||Important||No||No||Tampering|
|CVE-2020-17102||WebP Image Extensions Information Disclosure Vulnerability||Important||No||No||Info|
|CVE-2020-17010||Win32k Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-17038||Win32k Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-17013||Win32k Information Disclosure Vulnerability||Important||No||No||Info|
|CVE-2020-17012||Windows Bind Filter Driver Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-17113||Windows Camera Codec Information Disclosure Vulnerability||Important||No||No||Info|
|CVE-2020-17029||Windows Canonical Display Driver Information Disclosure Vulnerability||Important||No||No||Info|
|CVE-2020-17024||Windows Client Side Rendering Print Provider Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-17088||Windows Common Log File System Driver Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-17071||Windows Delivery Optimization Information Disclosure Vulnerability||Important||No||No||Info|
|CVE-2020-17007||Windows Error Reporting Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-17036||Windows Function Discovery SSDP Provider Information Disclosure Vulnerability||Important||No||No||Info|
|CVE-2020-17068||Windows GDI+ Remote Code Execution Vulnerability||Important||No||No||RCE|
|CVE-2020-17004||Windows Graphics Component Information Disclosure Vulnerability||Important||No||No||Info|
|CVE-2020-17040||Windows Hyper-V Security Feature Bypass Vulnerability||Important||No||No||SFB|
|CVE-2020-17035||Windows Kernel Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-17045||Windows KernelStream Information Disclosure Vulnerability||Important||No||No||Info|
|CVE-2020-17030||Windows MSCTF Server Information Disclosure Vulnerability||Important||No||No||Info|
|CVE-2020-17069||Windows NDIS Information Disclosure Vulnerability||Important||No||No||Info|
|CVE-2020-17047||Windows Network File System Denial of Service Vulnerability||Important||No||No||DoS|
|CVE-2020-17056||Windows Network File System Information Disclosure Vulnerability||Important||No||No||Info|
|CVE-2020-17011||Windows Port Class Library Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-17041||Windows Print Configuration Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-17001||Windows Print Spooler Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-17014||Windows Print Spooler Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-17025||Windows Remote Access Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-17026||Windows Remote Access Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-17027||Windows Remote Access Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-17028||Windows Remote Access Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-17031||Windows Remote Access Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-17032||Windows Remote Access Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-17033||Windows Remote Access Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-17034||Windows Remote Access Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-17043||Windows Remote Access Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-17044||Windows Remote Access Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-17055||Windows Remote Access Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-1599||Windows Spoofing Vulnerability||Important||No||No||Spoof|
|CVE-2020-17070||Windows Update Medic Service Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-17073||Windows Update Orchestrator Service Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-17074||Windows Update Orchestrator Service Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-17076||Windows Update Orchestrator Service Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-17077||Windows Update Stack Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-17075||Windows USO Core Worker Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-17037||Windows WalletService Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-16999||Windows WalletService Information Disclosure Vulnerability||Important||No||No||Info|
|CVE-2020-17057||Windows Win32k Elevation of Privilege Vulnerability||Important||No||No||EoP|
|CVE-2020-17015||Microsoft SharePoint Spoofing Vulnerability||Low||No||No||Spoof|
|CVE-2020-17046||Windows Error Reporting Denial of Service Vulnerability||Low||No||No||DoS|
You’ll notice this month’s patch table does not contain the Exploitability Index (XI) rating. Originally, XI was intended to help sysadmins prioritize which patches to test and deploy first. The thought was that some would prioritize Important-rated bugs likely to be exploited over Critical-rated bugs that were unlikely to be exploit. Since that time, security patches from Microsoft have become cumulative. Today, it is rare that you apply one patch for one component – you apply the monthly rollup that fixes many CVEs. Therefore, you have to treat all bugs in that update as though it has the highest XI rating, provided at least one bug fixed has the highest rating. Therefore, it doesn’t make sense to call out the few XI=1 when the whole update should be treat as XI=1. The exploitability index was a good initiative when it was introduced [PDF] back in 2008. These days, it’s an outdated rating that has run its course.
The other big change this month relates to Microsoft’s removal of the description section of the CVE overview. In Microsoft’s examples on their blog explaining the change, they pick some simple cases to review. In those cases, an accurate CVSS is really all you need. After all, there’s only so much you can say about another SharePoint cross-site scripting (XSS) bug or a local privilege escalation that requires you to log on and run a specially crafted program. However, CVSS itself is not flawless. For example, “Privileges Required” and “User Interaction” are relatively straightforward to answer. Other fields, such as “Attack Complexity” does have gray areas where people can disagree on the rating. From Microsoft’s perspective, I’m sure they think they know best about how to rate a bug. There have been times when the researcher who found the bug disagreed.
As someone who has written many bulletins myself, I understand the repetitive nature of these descriptions. I have literally forgotten how many kernel EoP bugs I have written up - and they were all almost identical. However, there are those outlier cases where a description does matter. Two examples are above. Another example is CVE-2020-17049. What security feature in Kerberos is being bypassed? What is the likelihood? As a network defender, I have defenses to mitigate risks beyond just applying security patches. Should I employ those other technologies while the patches roll out? Until I have some idea of the answers to those questions, I can’t accurately assess the risk to my network from this or any of the other bugs with outstanding questions. Hopefully, Microsoft will decide to re-add the executive summaries in future releases.
Back to the actual patches…
Looking at the Critical-rated updates, most involve either one of the browsers or a video codec. We’re seeing more and more research into the multitude of codecs available for Windows, so expect this trend to continue. There’s also a code execution bug in the print spooler that could be worrying. There are quite a few bugs related to Azure Sphere, including a Critical rated one. However, you most likely won’t need to take any action on these bugs. IoT devices running Azure Sphere connected to the Internet check for updates every day and have likely already applied the patches. You only need to take action if your devices are not connected to the Internet or if you are a device manufacturer.
There are a relatively high number of remote code execution bugs getting fixes this month. Beyond the Critical-rated ones already mentioned, the bug in Microsoft Teams stands out – simply because so many students are using Teams right now and may not be as security savvy as adults. It does require user interaction, so remind your kids not to click on links from strangers. There’s also another Exchange Server code execution bug, but this one has a lower CVSS than the one previously mentioned. Steven has been a busy guy.
There are a total of 37 elevation of privilege (EoP) bugs getting fixes this month. In most of these cases, an attacker would need to log in to a target system then run a specially crafted program to escalate privileges. There are a couple of exceptions, such as CVE-2020-17012. IN this case, the specific flaw exists within the bindflt.sys driver. A crafted request with an IOCTL of 0x220000 can perform remapping of directories. This was reported through the ZDI program, so we do have a good understanding of this bug.
There are a significant number of information disclosure bugs being addressed this month as well. For the most part, the information leaked consists of unspecified memory contents. There are a couple of exceptions. The first impacts Azure Sphere and could allow attackers to find device information like resource IDs, SAS tokens, user properties, and other sensitive information. There’s also a bug in SharePoint that could allow attackers to read from the file system.
Six patches address spoofing bugs, but without a description, it’s difficult to guess what these might be. The spoofing bugs in SharePoint typically indicate XSS, but CVE-2020-1599 title “Windows Spoofing Vulnerability” could be just about anything. The same could be said for the tampering fixes for Azure Sphere and Visual Studio. The November release is rounded out by four patches to address XSS in Microsoft Dynamics 365.
The lone advisory for this month is the revision update to the Windows Servicing Stack, which adds updates for all supported versions of Windows.
The final Patch Tuesday for 2020 falls on December 8, and we’ll return with details and patch analysis then. Until then, stay safe, enjoy your patching, and may all your reboots be smooth and clean!
The November 2020 Security Update Review