IaaS, Azure & IT News | Foundation IT

Patch Tuesday Update - November 2020 - Foundation IT

Written by Lizzie Arcari | Nov 12, 2020 12:00:00 AM

Microsoft has released its November 2020 security updates, which is fixes for 112 vulnerabilities in Microsoft products. Every month we will post our vulnerability score and tips around each patch released, to provide advice for IT professionals and businesses.

Out of the 112 patches, 17 are classed as critical, 93 are classed as important and 2 are classed as moderate.

Zero-days discovered:

This month’s pathing included a fix for a zero-day privilege escalation vulnerability in the Windows Kernel Cryptography Driver that was being used in targeted attacks. Google has explained, “the bug resides in the cng!CfgAdtpFormatPropertyBlock function and is caused by a 16-bit integer truncation issue”.

The vulnerability’s ID is:  CVE-2020-17087.

Other products:

Other companies who have released security updates this week:

  • Adobe: Adobe Reader for Andriod and Adobe Connect
  • Apple: iOS, macOS, tvOS and watchOS
  • SAP: November 2020 security updates

All the patches can be found in the table below or alternatively downloaded here.

We have also curated a Patching Best Practice Guide.

Category

CVE IDs

CVE Title

Severity

FIT Score & Tip

Azure DevOps 1

CVE-2020-1325

Azure DevOps Server and Team Foundation Services Spoofing Vulnerability

Important

 

3/5 - Microsoft released multiple updates for the Azure stack this month, showing that Azure also suffers with vulnerabilities much like an on premise environment. These need to be applied based on what is used by your business.

Azure Sphere 1

CVE-2020-16988

Azure Sphere Elevation of Privilege Vulnerability

Critical

4/5 - Microsoft released multiple updates for the Azure stack this month, showing that Azure also suffers with vulnerabilities much like an on premise environment. These need to be applied based on what is used by your business.

Azure Sphere 14

CVE-2020-16985 CVE-2020-16986 CVE-2020-16987 CVE-2020-16984 CVE-2020-16981 CVE-2020-16982 CVE-2020-16983 CVE-2020-16993 CVE-2020-16994 CVE-2020-16970 CVE-2020-16992 CVE-2020-16989 CVE-2020-16990 CVE-2020-16991

Azure Sphere Information Disclosure Vulnerability Azure Sphere Denial of Service Vulnerability Azure Sphere Unsigned Code Execution Vulnerability Azure Sphere Elevation of Privilege Vulnerability Azure Sphere Tampering Vulnerability

Important

3/5 - Microsoft released multiple updates for the Azure stack this month, showing that Azure also suffers with vulnerabilities much like an on premise environment. These need to be applied based on what is used by your business.

Common Log File System Driver 1

CVE-2020-17088

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Important

3/5 - Classified as important by Microsoft, so worth getting on your machines if applicable, and once tested fully.

Microsoft Browsers 1

CVE-2020-17058

Microsoft Browser Memory Corruption Vulnerability

Critical

4/5 - Most machines have a Microsoft browser installed, even if not used, making this critical for installation, if applicable.

Microsoft Dynamics 4

CVE-2020-17005 CVE-2020-17018 CVE-2020-17021 CVE-2020-17006

Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

Important

4/5 - Based on the function that Microsoft Dynamics provides, it's worth paying attention and applying this fix when possible, however like anything, worth testing first before applying to production.

Microsoft Exchange Server 3

CVE-2020-17083 CVE-2020-17085 CVE-2020-17084

Microsoft Exchange Server Remote Code Execution Vulnerability Microsoft Exchange Server Denial of Service Vulnerability

Important

4/5 - Microsoft Exchange is becoming less and less utilised on-premise. However if used or if utilised in a hybrid configuration with Office 365, get this update applied when possible.

Microsoft Graphics Component 5

CVE-2020-16998 CVE-2020-17029 CVE-2020-17004 CVE-2020-17038 CVE-2020-17068

DirectX Elevation of Privilege Vulnerability Windows Canonical Display Driver Information Disclosure Vulnerability Windows Graphics Component Information Disclosure Vulnerability Win32k Elevation of Privilege Vulnerability Windows GDI+ Remote Code Execution Vulnerability

Important

3/5 - Classified as important by Microsoft, so worth getting on your machines if applicable, and once tested fully.

Microsoft Office 8

CVE-2020-17065 CVE-2020-17064 CVE-2020-17066 CVE-2020-17019 CVE-2020-17067 CVE-2020-17062 CVE-2020-17063 CVE-2020-17020

Microsoft Excel Remote Code Execution Vulnerability Microsoft Excel Security Feature Bypass Vulnerability Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability Microsoft Office Online Spoofing Vulnerability Microsoft Word Security Feature Bypass Vulnerability

Important

5/5 - Anything that an end user could be affected by, should be patched as soon as possible. Remember a chain is only as strong, as its weakest link.

Microsoft Office Sharepoint 5

CVE-2020-17016 CVE-2020-16979 CVE-2020-17017 CVE-2020-17061 CVE-2020-17060

Microsoft SharePoint Spoofing Vulnerability Microsoft SharePoint Information Disclosure Vulnerability Microsoft SharePoint Remote Code Execution Vulnerability

Important

4/5 - Much like Exchange, SharePoint on-premise is being less and less utilised and anyone using SharePoint Online will have these vulnerability fixes applied automatically. Worth applying sooner rather than later for your on-premise if applicable.

Microsoft Office Sharepoint 1

CVE-2020-17015

Microsoft SharePoint Spoofing Vulnerability

Moderate

1/5 - Classified as low by Microsoft, exploitation less likely but no reason to exclude from your typical update cycle.

Microsoft Scripting Engine 3

CVE-2020-17048 CVE-2020-17053 CVE-2020-17052

Chakra Scripting Engine Memory Corruption Vulnerability Internet Explorer Memory Corruption Vulnerability Scripting Engine Memory Corruption Vulnerability

Critical

4/5 - Classified as critical by Microsoft this is on update that should be applied as soon as possible.

Microsoft Scripting Engine 1

CVE-2020-17054

Chakra Scripting Engine Memory Corruption Vulnerability

Important

3/5 - Classified as important by Microsoft, so worth getting on your machines if applicable, and once tested fully.

Microsoft Teams 1

CVE-2020-17091

Microsoft Teams Remote Code Execution Vulnerability

Important

3/5 - Ultimately the haste required in applying this update is based on the usage of Teams. However in the current climate this would be considered quite important to get resolved.

Microsoft Windows 2

CVE-2020-17042 CVE-2020-17051

Windows Print Spooler Remote Code Execution Vulnerability indows Network File System Remote Code Execution Vulnerability

Critical

4/5 - Classified as critical by Microsoft this is on update that should be applied as soon as possible.

Microsoft Windows 31

CVE-2020-17032 CVE-2020-17033 CVE-2020-17026 CVE-2020-17031 CVE-2020-17027 CVE-2020-17030 CVE-2020-17028 CVE-2020-17044 CVE-2020-17074 CVE-2020-17043 CVE-2020-17041 CVE-2020-17034 CVE-2020-17049 CVE-2020-17040 CVE-2020-17047 CVE-2020-17036 CVE-2020-17000 CVE-2020-1599 CVE-2020-16997 CVE-2020-17001 CVE-2020-17057 CVE-2020-17056 CVE-2020-17055 CVE-2020-17010 CVE-2020-17007 CVE-2020-17014 CVE-2020-17025 CVE-2020-17024 CVE-2020-17013 CVE-2020-17011 CVE-2020-17012

Windows Remote Access Elevation of Privilege Vulnerability Windows MSCTF Server Information Disclosure Vulnerability Windows KernelStream Information Disclosure Vulnerability Windows Remote Access Elevation of Privilege Vulnerability Windows Print Configuration Elevation of Privilege Vulnerability Kerberos Security Feature Bypass Vulnerability Windows Hyper-V Security Feature Bypass Vulnerability Windows Network File System Denial of Service Vulnerability Windows Function Discovery SSDP Provider Information Disclosure Vulnerability Remote Desktop Protocol Client Information Disclosure Vulnerability Windows Spoofing Vulnerability Remote Desktop Protocol Server Information Disclosure Vulnerability Windows Print Spooler Elevation of Privilege Vulnerability Windows Win32k Elevation of Privilege Vulnerability Windows Network File System Information Disclosure Vulnerability Win32k Elevation of Privilege Vulnerability Windows Error Reporting Elevation of Privilege Vulnerability Windows Client Side Rendering Print Provider Elevation of Privilege Vulnerability Windows Port Class Library Elevation of Privilege Vulnerability Windows Bind Filter Driver Elevation of Privilege Vulnerability

Important

5/5 - Microsoft resolved multiple elevation of privilege vulnerabilities and because these are on end user operating systems, these are always important to get resolved so they do not get exploited.

Microsoft Windows 1

CVE-2020-17043

Windows Error Reporting Denial of Service Vulnerability

Moderate

1/5 - Classified as low by Microsoft, exploitation less likely but no reason to exclude from your typical update cycle.

Microsoft Windows Codecs Library 10

CVE-2020-17106 CVE-2020-17101 CVE-2020-17105 CVE-2020-17082 CVE-2020-17079 CVE-2020-17078 CVE-2020-17107 CVE-2020-17110 CVE-2020-17108 CVE-2020-17109

HEVC Video Extensions Remote Code Execution Vulnerability HEIF Image Extensions Remote Code Execution Vulnerability AV1 Video Extension Remote Code Execution Vulnerability Raw Image Extension Remote Code Execution Vulnerability

Critical

5/5 - Anything that an end user could be affected by, should be patched as soon as possible. Remember a chain is only as strong, as its weakest link.

Microsoft Windows Codecs Library 4

CVE-2020-17102 CVE-2020-17086 CVE-2020-17081 CVE-2020-17113

WebP Image Extensions Information Disclosure Vulnerability Raw Image Extension Remote Code Execution Vulnerability Microsoft Raw Image Extension Information Disclosure Vulnerability Windows Camera Codec Information Disclosure Vulnerability

Important

3/5 - Classified as important by Microsoft, so worth getting on your machines if applicable, and once tested fully.

Visual Studio 2

CVE-2020-17104 CVE-2020-17100

Visual Studio Code JSHint Extension Remote Code Execution Vulnerability Visual Studio Tampering Vulnerability

Important

3/5 - Classified as important by Microsoft, so worth getting on your machines if applicable, and once tested fully.

Windows Defender 1

CVE-2020-17090

Microsoft Defender for Endpoint Security Feature Bypass Vulnerability

Important

3/5 - Classified as important by Microsoft, so worth getting on your machines if applicable, and once tested fully. As Defender is Window's inbuilt AV and protection, if your AV fails, Defender can often pick up the slack - worth updating.

Windows Kernel 2

CVE-2020-17035 CVE-2020-17087

Windows Kernel Elevation of Privilege Vulnerability Windows Kernel Local Elevation of Privilege Vulnerability

Important

3/5 - Classified as important by Microsoft, so worth getting on your machines if applicable, and once tested fully.

Windows NDIS 1

CVE-2020-17069

Windows NDIS Information Disclosure Vulnerability

Important

3/5 - Classified as important by Microsoft, so worth getting on your machines if applicable, and once tested fully.

Windows Update Stack 7

CVE-2020-17074 CVE-2020-17073 CVE-2020-17071 CVE-2020-17075 CVE-2020-17070 CVE-2020-17077 CVE-2020-17076

Windows Update Orchestrator Service Elevation of Privilege Vulnerability Windows Delivery Optimization Information Disclosure Vulnerability Windows USO Core Worker Elevation of Privilege Vulnerability Windows Update Medic Service Elevation of Privilege Vulnerability Windows Update Stack Elevation of Privilege Vulnerability

Important

3/5 - Classified as important by Microsoft, so worth getting on your machines if applicable, and once tested fully.

Windows WalletService 2

CVE-2020-16999 CVE-2020-17037

Windows WalletService Information Disclosure Vulnerability Windows WalletService Elevation of Privilege Vulnerability

Important

3/5 - Classified as important by Microsoft, so worth getting on your machines if applicable, and once tested fully.