Skip to comments.Microsoft emits 112 security hole fixes – including the cure for a Google-disclosed kernel vuln exploited in the wild (Windows Update - Patch Tuesday)
Posted on 11/11/2020 11:12:55 AM PST by dayglored
Android, Adobe, SAP, Red Hat join the bug-busting party
Patch Tuesday Microsoft published fixes for 112 software vulnerabilities for its November Patch Tuesday, 17 of which have been rated critical.
Of the remainder, 93 are rated important, and two are rated low severity.
Fifteen Microsoft products are affected, including: Microsoft Windows, Office, Internet Explorer, Edge (EdgeHTML and Chromium), ChakraCore, Exchange Server, Dynamics, Windows Codecs Library, Azure Sphere, Windows Defender, Teams, Azure SDK, Azure DevOps, and Visual Studio.
One of the fixed flaws is being actively exploited, the Windows Kernel Cryptography Driver vulnerability (CVE-2020-17087) disclosed by Google's Project Zero at the end of last month.
"One of the most notable fixes in this months release is for CVE-2020-17087, an elevation-of-privilege vulnerability in the Windows Kernel that was exploited in the wild as part of a vulnerability chain with CVE-2020-15999, a buffer-overflow vulnerability in the FreeType 2 library used by Google Chrome," Satnam Narang, staff research engineer at security biz Tenable told The Register.
"The elevation-of-privilege vulnerability was used to escape Google Chromes sandbox in order to elevate privileges on the exploited system. This is the second vulnerability chain involving a Google Chrome vulnerability and a Windows vulnerability that was exploited in the last year."
Narang said the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI last month published a joint advisory warning that miscreants are chaining unpatched vulnerabilities together to compromise and gain access to targets. Indeed, judging from the above and that Apple patched exploited-in-the-wild bugs, found by Google Project Zero, in its font parser and kernel code one might assume someone highly skilled or some top-tier group has lately taken a particular interest in hijacking people's computers and devices via malicious webpages and documents.
Zero Day Initiative's Dustin Childs in a blog post observed the relatively high number of remote-code execution (RCE) bugs getting repaired this month.
"Beyond the Critical-rated ones already mentioned, the bug in Microsoft Teams stands out simply because so many students are using Teams right now and may not be as security savvy as adults," Childs said. "It does require user interaction, so remind your kids not to click on links from strangers."
The Teams RCE bug, designated CVE-2020-17091, is only rated important.
In conjunction with its patch dump, Microsoft has redesigned how it presents vulnerability information in its online Security Update Guide. Redmond suggests its design change conveys vulnerability information more concisely. But Childs criticized the layout revision, stating that less information is now published, which makes it more difficult to assess the risks of various bugs.
Other companies posted their own lists of security shortcomings. Google published details about 20 Android flaws, plus bugs identified in MediaTek and Qualcomm components. Adobe, after firing off an out-of-band update last week, published two new bulletins. Intel published 36 security advisories. SAP is offering 12 new advisories alongside three updates to previous ones. Red Hat has released 21 security updates.
In all, it's enough to keep IT admins and users busy patching for a while. ®
Man! That took forever! Almost an hour. Mistakenly had time set for afternoon instead of over night :D
Gosh I am surprised there are any bugs in Windows software. Their products just work....
My Windows-7 is still receiving software updates.
How is that possible, my W7 hasn’t received anything in months.
Dare I even try?
I only occasionally boot from Windows 7 but when I do it gets updates, too. Maybe only those MS deems critical or something?
Windows Defender definition updates, perhaps? ;-)
No, it isn’t just those. That would be one update each month. These are sporadic.
Windows Malicious Software Removal Tool x64 - v5.84 (KB890830)
Installation date: 11/11/2020 12:44 PM
Installation status: Successful
Update type: Important
After the download, this tool runs one time to check your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps remove any infection that is found. If an infection is found, the tool will display a status report the next time that you start your computer. A new version of the tool will be offered every month. If you want to manually run the tool on your computer, you can download a copy from the Microsoft Download Center, or you can run an online version from microsoft.com. This tool is not a replacement for an antivirus product. To help protect your computer, you should use an antivirus product.
More information: http://support.microsoft.com/kb/890830 Help and Support: http://support.microsoft.com
The updates that stopped are the security fixes for the OS and major applications, and of course the feature updates.
Yup. that's what's been coming.
Ooooook, that makes sense.
Would be nice if updates could still be downloaded for Windows 7. I thought there was a plan or subscription or something that would enable users to still get them if they paid a fee.
As far as I know, you have to be a company with a large investment of Windows machines, or be on volume licensing, and you dont want to have to pay that fee. It ramps up every year.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.