Posted on 10/13/2020 6:41:18 PM PDT by dayglored
Redmond urges folks to apply update ASAP – plus more fixes for Outlook and software from Adobe, Intel, SAP, Red Hat
Patch Tuesday Microsoft's Update Tuesday patch dump for October 2020 has delivered security patches that attempt to address 87 CVEs for a dozen Redmond products.
Nadella's security crew has identified 22 remote code execution (RCE) CVEs though the most worrisome looks like CVE-2020-16898, Windows TCP/IP RCE, which is rated 9.8 out 10 in severity. It affects Windows desktop and server systems.
According to Microsoft, the Windows TCP/IP stack doesn't properly handle ICMPv6 Router Advertisement packets. Thus someone could send a vulnerable machine a maliciously crafted IPv6 packet over the network to inject and execute code on the box, and ultimately hijack it – presumably with kernel-level privileges. Here's the worrying blurb from Redmond:
A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client.
To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.
The update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets.
Microsoft said exploitation is likely, and a workaround is available for Windows build 1709 and above. You're urged to patch this ASAP, though.
"Since the code execution occurs in the TCP/IP stack, it is assumed the attacker could execute arbitrary code with elevated privileges," said Zero Day Initiative's Dustin Childs in a summary of today's patches.
"If you’re running an IPv6 network, you know that filtering router advertisements is not a practical workaround. Microsoft also gives this bug its highest exploitability rating, so exploits are likely. You should definitely test and deploy this patch as soon as possible."
CVE-2020-16947, a Microsoft Outlook RCE, also looks like it could pose problems. Rated with a CVSS score of 8.1/10, this memory handling flaw could allow an attacker to send a user with admin rights a specially crafted file and take over the system, if the preview pane is open.
"The specific flaw exists within the parsing of HTML content in an email," explained Childs. "The issue results from the lack of proper validation of the length of user-supplied data before copying it to a fixed-length heap-based buffer."
A total of 11 flaws are designated critical, 75 rate moderate, and one is merely important. Six of them have already been publicly disclosed.
Affected applications include:
The 88th entry on Microsoft's list is an advisory for Adobe Flash Player for Windows, which along with the versions for macOS, Linux and Chrome OS, contains a critical arbitrary code execution flaw (CVE-2020-9746).
Exploitation of the vulnerability "requires an attacker to insert malicious strings in an HTTP response that is by default delivered over TLS/SSL," according to Adobe.
Users should install Adobe Flash Player 32.0.0.445 on the applicable operating system and enjoy whatever time they have left with the app – Adobe plans to stop distributing Flash Player on December 31, 2020.
Enterprise software vendor SAP also delivered parcel of patches – 15 plus six additional patches to previous patches.
The most serious of these is an OS command injection vulnerability (CVE-2020-6364) affecting SAP Solution Manager (CA Introscope Enterprise Manager) and SAP Focused Run (CA Introscope Enterprise Manager), Versions - WILY_INTRO_ENTERPRISE 9.7, 10.1, 10.5, 10.7. The bug rates 10 out of 10 in severity.
Intel released one security advisory covering three vulnerabilities in the BlueZ open-source Bluetooth stack. These high severity flaws could lead to privilege escalation and information disclosure. The fixes involve a Linux kernel update.
Red Hat meanwhile issued a security advisory for the Chromium browser in various Red Hat Enterprise Linux 6 packages. It addresses 35 fixes delivered by Google last week.
On the bright side, 87 CVEs is significantly less than the 129 Microsoft addressed in September. ®
Do you prefer Panic Wednesday?
And this is the place where windows has brought us to in 2020.
No one is happy dancing about it.
“You have to go out of your way to disable IPv6. “
good thing i’ve always automatically done that on all machines i maintain for clients ...
Indeed. Wikipedia confirms the original was gaming, and it spread to the larger network context.
OK. . .so what should I do. I use MS Windows.
Take it from a "greybeard", Microsoft has ALWAYS been like this, Paul Allen was the only one there with any intelligence ...
Thanx for the tips..
Appreciate very much
If you’re using Windows 10, it’ll do it for you, sooner or later (forced updates). If you’re using Win8.1, run Windows Update to get the latest fixes.
Otherwise, like if you’re still using Win7 or WinXP, there are no longer any updates for those versions, so it won’t happen, and you can’t make it happen. As a rule, I’d encourage you to upgrade to Win10 for the security improvements, even if you (like me) aren’t a fan of how it looks or acts. But to each their own; many FReepers stay with the older versions and are happy with that.
Oddly enough, my Mac is running just fine!!
Suckers!!!!
Those of us who run Macs have an easier time of it, that’s true, but even Apple’s updates have occasionally caused problems. Software is complicated, and updates are hard to do without mistakes.
My Windows machines are all virtual (VMs) running in VMware Fusion, on my Mac hardware (Mini and MacBook). I don’t install Windows “on the metal” unless for screaming performance reasons I have to. Extreme gaming is about the only reason for doing so, but it’s a good reason.
As a result, if Windows takes a crap, restoring is a simple file copy from a recent backup copy of the VM. And Time Machine is the best backup software I’ve ever used.
Thanks for taking the time to explain. . .I had to upgrade to Windows 10. So I guess they will automatically update it. I just clicked on an icon that turned out to be windows security and said no attention needed. I don’t twitter, tweet, facebook, zoom or skype and turned my TV off 5 years ago (don’t miss it) but I certainly appreciate all the Freepers that keep us posted on the latest as well as providing much needed help and encouragement when needed. Thanks again.
I just switched to Ubuntu 20.04 from CentOs 6. Red Hat saw fit to dump the drivers for my raid controller.
Bkmk
Take it from a “greybeard”, Microsoft has ALWAYS been like this, Paul Allen was the only one there with any intelligence ...
————————————
Gotten far, far worse with turd world Indian H1Bs replacing Americans, and the turd world Indian trash CEO was the final straw.
Microsoft was responsible for switching the population of Eastern King County from <1% Indian 10 years ago to over 40% today.
Unlike most people here, I never really had the patching issues they did. I don't recall a patch ever rendering one of my machines useless. I build all my own computers and research the components I put into every one of them. I don't buy off-brand parts, building my own means I save the $300 "build fee" every off the shelf computer has and can invest that into high quality components that stand the test of time. Doing that meant I didn't have the problems with Windows many did.
My issue with Windows was I did see the quality going down and the number of bugs going up. That was a warning sign for me that it was time to get off that OS. I've run Ubuntu as a purpose built VM for a number of years already, so switching to me wasn't really a big deal.
Now I keep a Windows 10 VM as a purpose built machine, primarily for Visio and some ham radio software I run. Beyond that, it stays spun down.
Everything else I need to do, I can do with Ubuntu. All the things I used to do with MS Office I can do with Libre Office. Skype works on Linux, as does Microsoft Teams which my company uses for collaboration now. No one notices that I'm not on a Microsoft device. Welcome to working from home and remote computing.
My "daily driver" machine is an AMD 2700x with 32Gb of memory and an SSD RAID. Talk about screaming fast. It's done booting up before I can take my finger off the power button and the Windows 10 VM that's on it boots faster than any physical Win10 machine I've ever seen. Take that Microsoft.
You sure got that right.
Too true. I cannot even guess at how many hours of my life the crappy code from Microsoft has wasted, and I don't personally even use the crap. I've been using Linux at home for years and years. I think it's somewhere around 20 by now. While I've had some mishaps with it, they are nothing compared to the crap folks get regularly from MS-Windows.
The very concept that just about every single patch requires a reboot of the box (sometimes more than one), is just absolutely insane.
First version of Linux: 0.98 or something. Came on 4 floppies.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.