IaaS, Azure & IT News | Foundation IT

Patch Tuesday Update - October 2020 - Foundation IT

Written by Lizzie Arcari | Oct 16, 2020 12:00:00 AM

Microsoft has released its October 2020 security updates, which is fixes for 87 vulnerabilities in Microsoft products and Adobe Flash Player update. This post will give our vulnerability score and tips around each patch released.

Out of the 87 patches, 12 are classed as critical, 74 are classed as important and 1 is classed as moderate.

Top Vulnerabilities:

While there were no zero-days this month, there is a handful that are more interesting critical vulnerabilities:

  • CVE-2020-16911: GDI+ Remote Code Execution Vulnerability
  • CVE-2020-16947: Microsoft Outlook Remote Code Execution Vulnerability
  • CVE-2020-16898: Windows TCP/IP Remote Code Execution Vulnerability
  • CVE-2020-16891: Windows Hyper-V Remote Code Execution Vulnerability
  • CVE-2020-16915: Media Foundation Memory Corruption Vulnerability

Other Products:

There were other companies who have also released their security updates for this month:

  • Adobe: Adober Flash Player
  • Apple: macOS, tvOS and watchesODS
  • Intel: October 2020 platform update
  • SAP: October 2020 security updates

 

All the patches can be found in the table below or alternatively downloaded here.

We have also curatedPatching Best Practice.

Category

Count

CVE IDs

CVE Title

Severity

FIT Score

Tip


.NET Framework

 

1

 

CVE-2020-16937

.NET Framework Information Disclosure Vulnerability

Important


4/5

 

This update is in your normal monthly updates for Windows Operating Systems.

 

Adobe Flash Player

1

ADV200012

October 2020 Adobe Flash Security Update

 

Critical

5/5

Flash is still being utilised on various platforms, this is definietly worth applying even with the ending support for Flash coming, 31/12/2020. This is a separate patch to the monthly roll ups.

Azure

2

CVE-2020-16995 CVE-2020-16904

Network Watcher Agent Virtual Machine Extension for Linux Elevation of Privilege Vulnerability Azure Functions Elevation of Privilege Vulnerability

Important

3/5

The first CVE relates to Linux VM's in Azure - It's worth noting a lot of Appliance based VM's are based on Linux so may be effected. The second CVE has no patch to resolved, but a restart of your Azure Functions app with update it.

Group Policy

1

CVE-2020-16939

Group Policy Elevation of Privilege Vulnerability

Important

3/5

This update is in your normal monthly updates for Windows Operating Systems.

Microsoft Dynamics

3

CVE-2020-16978 CVE-2020-16956 CVE-2020-16943

Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability Dynamics 365 Commerce Elevation of Privilege Vulnerability

Important

2/5

This update should be applied if you have Microsoft Dynamics.

Microsoft Exchange Server

1

CVE-2020-16969

Microsoft Exchange Information Disclosure Vulnerability

Important

2/5

This update should be applied if you have on premise Exchange.

Microsoft Graphics Component

2

CVE-2020-16911 CVE-2020-16923

GDI+ Remote Code Execution Vulnerability Microsoft Graphics Components Remote Code Execution Vulnerability

Critical

4/5

This update is in your normal monthly updates for Windows Operating Systems.

Microsoft Graphics Component

2

CVE-2020-16914 CVE-2020-1167

Windows GDI+ Information Disclosure Vulnerability Microsoft Graphics Components Remote Code Execution Vulnerability

Important

4/5

This update is in your normal monthly updates for Windows Operating Systems.

Microsoft NTFS

1

CVE-2020-16938

Windows Kernel Information Dosclosure Vulnerability

Important

3/5

Applicable to Windows 10 Version 2004. Forms part of the monthly cumulative update.

Microsoft Office

2

 

CVE-2020-16947 CVE-2020-17003

Microsoft Outlook Remote Code Execution Vulnerability Base3D Remote Code Execution Vulnerability

Critical

5/5

A set of specific updates for various Microsoft Office versions have been released. Bare in mind that later versions, like 365 , require Click to Run.

Microsoft Office

11

CVE-2020-16933 CVE-2020-16929 CVE-2020-16934 CVE-2020-16932 CVE-2020-16930 CVE-2020-16955 CVE-2020-16928 CVE-2020-16957 CVE-2020-16918 CVE-2020-16931 CVE-2020-16954

Microsoft Word Security Feature Bypass Vulnerability Microsoft Excel Remote Code Execution Vulnerability Microsoft Office Click-to-Run Elevation of Privilege Vulnerability Microsoft Excel Remote Code Execution Vulnerability Microsoft Office Click-to-Run Elevation of Privilege Vulnerability Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability Base3D Remote Code Execution Vulnerability Microsoft Excel Remote Code Execution Vulnerability Microsoft Office Remote Code Execution Vulnerability

Important

5/5

A set of specific updates for various Microsoft Office versions have been released. Bare in mind that later versions, like 365, require Click to Run.

Microsoft Office

1

CVE-2020-16949

Microsoft Outlook Denial of Service Vulnerability

Moderate

3/5

A set of specific updates for Microsoft Outlook versions have been released. Bare in mind that later versions, like 365, require Click to Run.

Microsoft Office Sharepoint

2

CVE-2020-16951 CVE-2020-16952

Microsoft SharePoint Remote Code Execution Vulnerability Microsoft SharePoint Remote Code Execution Vulnerability

Critical

4/5

Essential if SharePoint is run on-premise. SharePoint Online is updated by Microsoft automatically.

Microsoft Office Sharepoint

8

CVE-2020-16948 CVE-2020-16953 CVE-2020-16942 CVE-2020-16944 CVE-2020-16945 CVE-2020-16946 CVE-2020-16941 CVE-2020-16950

Microsoft SharePoint Information Disclosure Vulnerability Microsoft SharePoint Reflective XSS Vulnerability Microsoft Office SharePoint XSS Vulnerability

Important

4/5

These form part of the same updates as the above. Applying these updates take care of all on premise SharePoint vulnerabilities.

Microsoft Windows

1

CVE-2020-16898

Windows TCP/IP Remote Code Execution Vulnerability

Critical

4/5

This update is in your normal monthly updates for Windows Operating Systems.

Microsoft Windows

29

CVE-2020-16900 CVE-2020-16901 CVE-2020-16899 CVE-2020-16908 CVE-2020-16909 CVE-2020-16912 CVE-2020-16940 CVE-2020-16907 CVE-2020-16936 CVE-2020-16897 CVE-2020-16895 CVE-2020-16919 CVE-2020-16921 CVE-2020-16920 CVE-2020-16972 CVE-2020-16877 CVE-2020-16876 CVE-2020-16975 CVE-2020-16973 CVE-2020-16974 CVE-2020-16922 CVE-2020-0764 CVE-2020-16980 CVE-2020-1080 CVE-2020-16887 CVE-2020-16885 CVE-2020-16924 CVE-2020-16976 CVE-2020-16935

Windows Event System Elevation of Privilege Vulnerability Windows Kernel Information Disclosure Vulnerability Windows TCP/IP Denial of Service Vulnerability Windows Setup Elevation of Privilege Vulnerability Windows Error Reporting Elevation of Privilege Vulnerability Windows Backup Service Elevation of Privilege Vulnerability Windows - User Profile Service Elevation of Privilege Vulnerability Win32k Elevation of Privilege Vulnerability Windows Backup Service Elevation of Privilege Vulnerability NetBT Information Disclosure Vulnerability Windows Error Reporting Manager Elevation of Privilege Vulnerability Windows Enterprise App Management Service Information Disclosure Vulnerability Windows Text Services Framework Information Disclosure Vulnerability Windows Application Compatibility Client Library Elevation of Privilege Vulnerability Windows Backup Service Elevation of Privilege Vulnerability Windows Elevation of Privilege Vulnerability Windows Spoofing Vulnerability Windows Storage Services Elevation of Privilege Vulnerability Windows iSCSI Target Service Elevation of Privilege Vulnerability Windows Hyper-V Elevation of Privilege Vulnerability Windows Network Connections Service Elevation of Privilege Vulnerability Windows Storage VSP Driver Elevation of Privilege Vulnerability Jet Database Engine Remote Code Execution Vulnerability Windows Backup Service Elevation of Privilege Vulnerability Windows COM Server Elevation of Privilege Vulnerability

Important

4/5

This update is in your normal monthly updates for Windows Operating Systems.

Microsoft Windows Codecs Library

2

CVE-2020-16967 CVE-2020-16968

Windows Camera Codec Pack Remote Code Execution Vulnerability

Critical

4/5

This vulnerability has updates for Windows 10 only.

PowerShellGet

1

CVE-2020-16886

PowerShellGet Module WDAC Security Feature Bypass Vulnerability

Important

3/5

This is an update for PowerShellGet, which can be done by invoking a Powershell command to update it.

Visual Studio

1

CVE-2020-16977

Visual Studio Code Python Extension Remote Code Execution Vulnerability

Important

3/5

This update is not delivered by Windows Update, but rather the Visual Studio Marketplace.

Windows COM

1

CVE-2020-16916

Windows COM Server Elevation of Privilege Vulnerability

Important

3/5

This update is in your normal monthly updates for Windows Operating Systems.

Windows Error Reporting

1

CVE-2020-16905

Windows Error Reporting Elevation of Privilege Vulnerability

Important

3/5

Applicable to Windows 10, 2016 and 2019 operating systems only.

Windows Hyper-V

2

CVE-2020-16894 CVE-2020-1243

Windows NAT Remote Code Execution Vulnerability Windows Hyper-V Denial of Service Vulnerability

Important

3/5

Applicable to Windows 10, 2016 and 2019 operating systems only.

Windows Hyper-V

1

CVE-2020-16891

Windows Hyper-V Remote Code Execution Vulnerability

Critical

4/5

This update is in your normal monthly updates for Windows Operating Systems.

Windows Installer

1

CVE-2020-16902

Windows Installer Elevation of Privilege Vulnerability

Important

3/5

This update is in your normal monthly updates for Windows Operating Systems.

Windows Kernel

5

CVE-2020-16889 CVE-2020-16892 CVE-2020-16913 CVE-2020-1047 CVE-2020-16910

Windows KernelStream Information Disclosure Vulnerability Windows Image Elevation of Privilege Vulnerability Win32k Elevation of Privilege Vulnerability Windows Hyper-V Elevation of Privilege Vulnerability Windows Security Feature Bypass Vulnerability

Important

3/5

This update is in your normal monthly updates for Windows Operating Systems.

Windows Media Player

1

CVE-2020-16915

Media Foundation Memory Corruption Vulnerability

Critical

4/5

Applicable to Windows 10, 2016 and 2019 operating systems only.

Windows RDP

3

CVE-2020-16863 CVE-2020-16927 CVE-2020-16896

Windows Remote Desktop Service Denial of Service Vulnerability Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability

Important

3/5

The first CVE relates to Windows 7 and 2008 R2 so are only applicable if you purchased an ESU. The second is applicable all operating systems and contained within the normal monthly patching.

Windows Secure Kernel mode

1

CVE-2020-16890

Windows Kernel Elevation of Privilege Vulnerability

Important

3/5

Applicable to Windows 10, 2016 and 2019 operating systems only.