{"id":6574,"date":"2020-11-12T15:07:38","date_gmt":"2020-11-12T15:07:38","guid":{"rendered":"https:\/\/www.n-able.com\/?p=6574"},"modified":"2022-06-10T18:14:56","modified_gmt":"2022-06-10T17:14:56","slug":"november-2020-patch-tuesday-update-111-cve-numbers-addressed","status":"publish","type":"post","link":"https:\/\/www.n-able.com\/fr\/blog\/november-2020-patch-tuesday-update-111-cve-numbers-addressed","title":{"rendered":"November 2020 Patch Tuesday Update: 111 CVE Numbers Addressed"},"content":{"rendered":"

This has been an interesting Patch Tuesday for me, mainly because this is the first month of using Microsoft\u2019s new version of its\u00a0Security Update Guide<\/a>. The new system makes it incredibly easy to find the vulnerabilities that aren\u2019t rated as \u201cCritical,\u201d but are listed as \u201cExploitation Detected,\u201d or \u201cExploitation More Likely.\u201d The added vulnerability view lets you add columns to the data to find these hidden items. However, the descriptions and details aren\u2019t as in-depth as the previous version, so learning to navigate the new portal will take some time. As a result, content on this post may change slightly as I discover more information. If that happens, I\u2019ll include any updates to this post at the end. I appreciate your patience as I get use to the new update guide.<\/p>\n

This month brings us fixes for 112 vulnerabilities\u2014back to what has become a normal amount for this year after last month\u2019s lighter drop. Of these vulnerabilities, 16 are marked as \u201cCritical\u201d and 87 as \u201cImportant.\u201d These include some of the usual suspects, as well as one high-profile, zero-day vulnerability that was announced after last month\u2019s Patch Tuesday. As always, let\u2019s review the Criticals and some of the Importants that may warrant attention.<\/p>\n

Operating system<\/h2>\n

There were surprisingly few \u201cCritical\u201d operating system vulnerabilities this month\u2014only two. First we have\u00a0CVE-2020-17051<\/a>, titled\u00a0Windows Network File System Remote Code Execution Vulnerability<\/b>. This is a remote code vulnerability listed as \u201cExploitation More Likely.\u201d It has the highest CVSS rating (9.8) of the vulnerabilities this month. It\u2019s remotely exploitable and doesn\u2019t require any user interaction. This generally means any network exposed system is vulnerable\u2014and with no workarounds listed, this one should get primary attention this month. Make sure to install updates for Windows 7 up to the current version of Windows 10, including server versions.<\/p>\n

Next is a Windows\u00a0Print Spooler Remote Code Execution Vulnerability,\u00a0<\/b>CVE-2020-17042<\/a>. This vulnerability does require user interaction, but doesn\u2019t require special privileges to execute. Microsoft lists it as \u201cExploitation Less Likely,\u201d and it also affects Windows 7 up to Windows 10, including server versions.<\/p>\n

Besides those Criticals, there are several others to pay attention to on the operating system side.<\/p>\n

Let\u2019s focus on the previously announced zero-day vulnerability first.\u00a0CVE-2020-17087<\/a>\u00a0is a\u00a0Windows Kernel Local Elevation of Privilege Vulnerability\u00a0<\/b>that was disclosed by Google\u2019s Project Zero,\u00a0as reported last month<\/a>. It\u2019s a privilege escalation vulnerability someone could use with another Chrome vulnerability (which has since been fixed). It\u2019s listed as \u201cExploitation Detected\u201d and affects Windows 7 up to Windows 10, including server versions.<\/p>\n

There\u2019s also another\u00a0Windows Network File System Information Disclosure Vulnerability,\u00a0<\/b>CVE-2020-17056<\/a>, that\u2019s listed as \u201cExploitation More Likely.\u201d However, this one requires access to the vulnerable system, meaning an attacker could use it as part of a chained attack after gaining access to the system. It would disclose information in memory. This vulnerability affects Windows 8.1 up to Windows 10, including server versions.<\/p>\n

CVE-2020-17088<\/a>\u00a0is a\u00a0Windows Common Log File System Driver Elevation of Privilege Vulnerability\u00a0<\/b>that Microsoft listed as \u201cExploitation More Likely\u201d with a low complexity and requires no user interaction.<\/p>\n

There is a\u00a0Win32k Elevation of Privilege Vulnerability<\/b>,\u00a0CVE-2020-17010<\/a>, that also has a low complexity rating. It\u2019s listed as \u201cExploitation More Likely\u201d on all supported Windows 10 versions, including server.<\/p>\n

Finally,\u00a0CVE-2020-16998<\/a>\u00a0is a\u00a0DirectX Elevation of Privilege Vulnerability\u00a0<\/b>that requires no user interaction and is listed as \u201cExploitation More Likely.\u201d<\/p>\n

Browsers<\/h2>\n

Last month there were no browser vulnerabilities, and while I stated Microsoft may make up for it this month, there are still only four \u201cCritical\u201d browser vulnerabilities this month.<\/p>\n

CVE-2020-17052<\/a>\u00a0is a\u00a0Scripting Engine Memory Corruption Vulnerability\u00a0<\/b>in Internet Explorer 11 and the Edge-HTML version of Microsoft Edge\u00a0<\/b>that appears to be related to malicious Exchange Web Service subscription notifications. It\u2019s listed as \u201cExploitation More Likely.\u201d It would grant the attacker access to the system and requires user interaction. There\u2019s a mitigation listed on the details, but it would block some important Exchange functions. At this time, there is no update available on the Exchange side, but Microsoft said it\u2019s planning one.<\/p>\n

CVE-2020-17048\u00a0<\/a>is listed as \u201cExploitation Less Likely.\u201d It\u2019s a\u00a0Chakra Scripting Engine Memory Corruption Vulnerability\u00a0<\/b>that requires user interaction and would grant the attacker access to the system. It\u2019s found in Internet Explorer 11 and the Edge-HTML version of Microsoft Edge as well.<\/p>\n

The\u00a0Internet Explorer Memory Corruption Vulnerability\u00a0<\/b>labeled as\u00a0CVE-2020-17053<\/a>\u00a0is listed as \u201cExploitation Less Likely\u201d and does require a user to access a malicious URL. It would grant the attacker full control of the system. This vulnerability affects Internet Explorer 11.<\/p>\n

The last \u201cCritical\u201d browser vulnerability is\u00a0CVE-2020-17058<\/a>. It\u2019s titled\u00a0Microsoft Browser Memory Corruption Vulnerability<\/b>, and it affects Internet Explorer 11 and the Edge-HTML version of Microsoft Edge browser. It\u2019s listed as \u201cExploitation Less Likely,\u201d and at this point there is only proof-of-concept code with no known exploits.<\/p>\n

Other applications<\/h2>\n

While there are no other \u201cCritical\u201d vulnerabilities in the other applications list, there is one SharePoint vulnerability that warrants extra attention.\u00a0CVE-2020-17061<\/a>\u00a0is a\u00a0Microsoft SharePoint Remote Code Execution Vulnerability\u00a0<\/b>that is a low complexity attack\u2014this is likely why it\u2019s listed as \u201cExploitation More Likely.\u201d<\/p>\n

Other notable vulnerabilities<\/b><\/p>\n

There are 10 vulnerabilities listed in the video extensions offered in the Windows App Store. While I won\u2019t list each one here, the Raw Image, HEVC Video, AV1, and HEIF Image extensions are all affected. According to Microsoft, they will apply the updates automatically; no action is required.<\/p>\n

There are several other applications this month that have fixes for vulnerabilities that are not listed as \u201cCritical\u201d or have any known exploits, but here are the highlights:<\/p>\n