Microsoft pressing a pause button on updates

Microsoft has told Windows 10 owners and IT admins not to expect any Windows 10 preview updates in December , after the mandate patch Tuesday updates

The company will resume monthly servicing with the January 2021 security releases, it said.

Microsoft releases optional non-security Windows 10 updates to give customers time to test the updates against systems.

It calls the first week of each month ‘A week’ and typically issues fixes for Office. The second week is ‘B week’ or Patch Tuesday. C and D weeks happen on the third and fourth weeks of the month.

The last time Microsoft paused optional non-security updates that are released after Patch Tuesday was in March.It resumed optional updates in July but maintained its Patch Tuesday schedule throughout the pandemic.

Microsoft also released a statement confirming it is starting to force Windows 10 PCs on version 1903 up to 1909.

All editions of Windows 10, version 1903 and Windows 10 Server, version 1903 will reach end of service. After that date, devices running these editions will no longer receive monthly security and quality updates.

To keep you protected and productive, we will soon begin updating devices running Windows 10, version 1903 to Windows 10, version 1909. This update will install like a monthly update, resulting in a far faster update experience.

Patch Tuesday November 2020

  • Microsoft has plugged 112 security holes, including an actively exploited one
  • Adobe has delivered security updates for Adobe Reader Mobile and Adobe Connect
  • Intel has dropped a huge stack of security advisories and patches
  • SAP has released 12 security notes and updated three previously released ones
  • Mozilla has fixed a critical vulnerability affecting Firefox, Firefox ESR, and Thunderbird

Microsoft covers 112 CVEs this November affecting products ranging from our standard Windows Operating Systems and Microsoft Office products to some new entries such as Azure Sphere.

Microsoft CVE-2020-17087: Windows Kernel Local Elevation of Privilege Vulnerability

Coming as no surprise to anyone, the previously disclosed CVE-2020-17087 zero-day affecting all supported versions of Windows has a patch this month. It is with this same patch that over half of the additional vulnerabilities detailed this month can be remediated, so definitely have your patching cycles ready. CVE-2020-17087 is a buffer overflow vulnerability behind the Windows Kernel Cryptography Driver that gave local attackers the ability to escalate privileges. “exploitability is at least somewhat more limited than it might appear at first glance.” This does not diminish the need to prioritize Operating System patching because of the next vulnerability up for discussion: CVE-2020-17051.

Microsoft CVE-2020-17051: Windows Network File System Remote Code Execution

CVE-2020-17051 is this month’s highest severity vulnerability sitting at CVSS 9.8. Microsoft describes CVE-2020-17051 as a Remote Code Execution vulnerability affecting Windows Network File System. At the time of writing, information regarding this vulnerability is light but Microsoft has noted that it has low attack complexity and does not require user interaction to exploit. This is aptly represented by the high CVSS score. At this point, this vulnerability is not known to be exploited in the wild.

Browser Vulnerabilities Come Back After An October Break
While it feels like it’s been a while, browser vulnerabilities are still a thing, and this month brought along five vulnerabilities affecting Internet Explorer and Edge browsers (EdgeHTML-based). CVE-2020-17048, CVE-2020-17052, CVE-2020-17053, CVE-2020-17054, and CVE-2020-17058 are all Remote Code Execution vulnerabilities potentially affecting Internet Explorer and/or Microsoft Edge (again, non-Chromium).

As a gentle reminder, Security-Only patches for operating systems that provide a Monthly Rollup or Security-Only update streams do not include browser remediations. Organizations opting for Security-Only patches should be aware that there are separate Cumulative Security Updates for Internet Explorer.

Windows 0 Day –> Google Project 0 Discovered 🐞🦠

Google’s Project Zero bug-hunting team has disclosed a Windows kernel flaw that’s being actively exploited by miscreants to gain administrator access on compromised machines. This gone public 7 days after it got discovered

The Windows Kernel Cryptography Driver (cng.sys) exposes a \Device\CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures,” the bug report explains. “It constitutes a locally accessible attack surface that can be exploited for privilege escalation

Malware already on a system, or a rogue insider, can potentially exploit this buggy driver to gain admin-level control of a vulnerable Windows box. The flaw, designated as CVE-2020-17087, is the result of improper 16-bit integer truncation that can lead to a buffer overflow.

The Google researchers have posted PoC exploit code tested on Windows 10 1903 (64-bit). They say the cng.sysflaw looks to have been present since at least Windows 7.

The Windows giant suggested exploitation would be difficult because an attacker would first need to compromise a host machine and then exploit another vulnerability of the local system. Microsoft says the only known remote-based attack chain for this vulnerability has been dealt with, a hole in Chromium-based browsers (CVE-2020-15999) that was fixed this month.

A patch is expected by November 10, 2020, which would be the next “Patch Tuesday” from Microsoft.

Unscheduled emergency patches ! To be patched

Microsoft has released two unscheduled security updates to address the remote code execution (RCE) bugs that were impacting Windows Codecs Library and Visual Studio Code users. The first vulnerability tracked as CVE-2020-17022 was found to be targeting user running Windows 10 version 1709 or later while the second one, CVE-2020-17023 was affecting the Visual Studio Code app.

The company has rated the severity of the two vulnerabilities as “important” that are now getting a fix with the security update.

Starting with the CVE-2020-17022 vulnerability, Microsoft explains that the bug exists in the way that “Microsoft Windows Codecs Library handles objects in memory.” Attackers could take advantage of the vulnerability when users run “malicious images” on their system – planted by the hacker. However, it is said that users who installed optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store are only affected. Users can the check whether the system has HEVC codec by heading to Settings > Apps > Features > HEVC, Advanced Options.

The second CVE-2020-17023 vulnerability impacting Visual Studio Code is executed by tricking users to opening a malicious ‘package.json’ file. Once the bug is loaded in the Visual Studio Code via package.json file, the attacker can then execute malicious codes. The severity of this vulnerability also depends on the permission given to the users who is using the Visual Studio Code. “If the current user is logged on with administrative user rights, an attacker could take control of the affected system,”.

Meanwhile, the company also released its monthly security update (October security patch) that patched 87 vulnerabilities across a wide range of Microsoft products.