- Microsoft has plugged 112 security holes, including an actively exploited one
- Adobe has delivered security updates for Adobe Reader Mobile and Adobe Connect
- Intel has dropped a huge stack of security advisories and patches
- SAP has released 12 security notes and updated three previously released ones
- Mozilla has fixed a critical vulnerability affecting Firefox, Firefox ESR, and Thunderbird
Microsoft covers 112 CVEs this November affecting products ranging from our standard Windows Operating Systems and Microsoft Office products to some new entries such as Azure Sphere.
Microsoft CVE-2020-17087: Windows Kernel Local Elevation of Privilege Vulnerability
Coming as no surprise to anyone, the previously disclosed CVE-2020-17087 zero-day affecting all supported versions of Windows has a patch this month. It is with this same patch that over half of the additional vulnerabilities detailed this month can be remediated, so definitely have your patching cycles ready. CVE-2020-17087 is a buffer overflow vulnerability behind the Windows Kernel Cryptography Driver that gave local attackers the ability to escalate privileges. “exploitability is at least somewhat more limited than it might appear at first glance.” This does not diminish the need to prioritize Operating System patching because of the next vulnerability up for discussion: CVE-2020-17051.
Microsoft CVE-2020-17051: Windows Network File System Remote Code Execution
CVE-2020-17051 is this month’s highest severity vulnerability sitting at CVSS 9.8. Microsoft describes CVE-2020-17051 as a Remote Code Execution vulnerability affecting Windows Network File System. At the time of writing, information regarding this vulnerability is light but Microsoft has noted that it has low attack complexity and does not require user interaction to exploit. This is aptly represented by the high CVSS score. At this point, this vulnerability is not known to be exploited in the wild.
Browser Vulnerabilities Come Back After An October Break
While it feels like it’s been a while, browser vulnerabilities are still a thing, and this month brought along five vulnerabilities affecting Internet Explorer and Edge browsers (EdgeHTML-based). CVE-2020-17048, CVE-2020-17052, CVE-2020-17053, CVE-2020-17054, and CVE-2020-17058 are all Remote Code Execution vulnerabilities potentially affecting Internet Explorer and/or Microsoft Edge (again, non-Chromium).
As a gentle reminder, Security-Only patches for operating systems that provide a Monthly Rollup or Security-Only update streams do not include browser remediations. Organizations opting for Security-Only patches should be aware that there are separate Cumulative Security Updates for Internet Explorer.