Microsoft’s “Patch Tuesday” is once again (perhaps by now unsurprisingly) a whopper, with 129 vulnerabilities to fix; 23 of them rated critical and a chunky 105 listed as important — up from August’s tally of 120 CVEs, with 17 considered critical.
If there’s a silver lining to this cloud it is that — unlike last month — none are listed as under active attack. Yet the release brings Microsoft’s tally of bugs needing fixing this year to 991, and includes patches for some severe vulnerabilities that no shortage of well-resourced bad actors will be looking to swiftly reverse engineer.
In the real world, of course, working out what to patch is a perennial dice-roll (for those not in the sunlit uplands where rebooting systems at the click of IT’s fingers is possible; for most it’s not) and as one contributor recently noted in a lively debate over risk prioritisation on the OSS-security mailing list, “the frameworks which do exist, such as CVSS, are entirely arbitrary and unable to take into account information about the variety of end user deployments”. (Others may disagree. Feel free to weigh in).
Regardless, there’s lots to patch… Some highlights:
CVE-2020-1452, 1453, 1576, 1200, 1210, and 1595 are all critical remote code execution vulnerabilities identified in Microsoft SharePoint.
As patch management specialist Automox notes: “The result of deserializing untrusted data input, the vulnerability allows arbitrary code execution in the SharePoint application pool and server farm account.
“Variations of the attack such as CVE-2020-1595 (API specific), reflect the importance of patching this vulnerability to reduce the threat surface.”
CVE-2020-0922 — Remote Code Execution Vulnerability in Microsoft COM for Windows. CVSS 8.8
This vulnerability impacts Windows 7 – 10 and Windows Server 2008 through 2019. The vulnerability exists in the way Microsoft COM handles objects in memory and, when exploited, would allow an attacker to execute arbitrary scripts on a victim machine.
Google Chrome also has five high severity bugs to patch. Many of these have impact downstream; to pick just one example, in Red Hat Enterprise Linux 6. Other open source-based OS providers like Ubuntu also pushed out patches, including in libX11 and the Linux Kernel — the latter after a Proofpoint researcher, Or Cohen, iscovered that the AF_PACKET implementation in the Linux kernel did not properly perform bounds checking in some situations. A local attacker could possibly execute arbitrary code.