Microsoft has broken its long-running streak of bumper Patch Tuesday updates with a more slimline – in comparison with recent months – October 2020 release, containing fixes for 87 vulnerabilities, 11 of them rated as critical.
As ever, the October update spans a multitude of software products, including Microsoft Windows, Microsoft Office and Microsoft Office Services and Web Apps, Microsoft JET Database Engine, Azure Functions, Open Source Software, Microsoft Exchange Server, Visual Studio, PowerShellGet, Microsoft .NET Framework, Microsoft Dynamics, Adobe Flash Player and Microsoft Windows Codecs Library.
Six of the common vulnerabilities and exposures (CVEs) listed in the October update have already been publicly disclosed, which means malicious actors, unfortunately, have a head start on weaponising them.
“Public disclosure could mean a couple of things,” said Todd Schell, senior product manager at Ivanti. “It could be that a demonstration of exploit was performed at an event or by a researcher. It could also mean proof-of-concept code has been made available. In any case, a public disclosure does mean that threat actors have advanced warning of a vulnerability and this gives them an advantage.
“The mean time to exploit a vulnerability is 22 days, according to a research study from the RAND Institute. If a threat actor gets advanced notice of a vulnerability, they could have a head start of days or even weeks, meaning an exploit may not be very far off. This is one risk indicator that can help companies prioritise what to act on first from a threat perspective.”
Five of the publicly disclosed updates affect Windows 10 and its corresponding server editions – these are CVEs 2020-16898, -16909, -16901, -16885 and -16938. The sixth, CVE-2020-16937, affects .NET Framework.
Of the six publicly disclosed vulnerabilities, threat researchers are assessing CVE-2020-16898 as the most dangerous. Dubbed “Bad Neighbour” by McAfee, it is a wormable remote code execution (RCE) vulnerability in Windows 10 and Windows Server 2019 that exists when the Windows TCP/IP stack improperly handles ICMPv6 router advertisement packets. It can be successfully exploited by sending a specially crafted packet to a remote Windows computer.
Steve Povolny, McAfee’s head of advanced threat research, said the most obvious impact would be to consumers running Windows 10 machines, but that with automated updates, this would be minimised quickly. He added that Shodan.io queries had suggested that the number of publicly exposed Windows Server 2019 machines was probably somewhere in the hundreds, probably because most are either behind firewalls or hosted by cloud service providers, and so do not show up in scans.
“Patching is always the first and most effective course of action,” wrote Povolny. “If this is not possible, the best mitigation is disabling IPv6, either on the NIC or at the perimeter of the network by dropping IPv6 traffic if it is non-essential. Additionally, ICMPv6 router advertisements can be blocked or dropped at the network perimeter. Windows Defender and Windows Firewall fail to block the proof-of-concept when enabled.”
Ivanti’s Schell also noted CVEs 2020-16947 and -16891 as ones to watch. The first is an RCE vulnerability in Microsoft Outlook, easily exploited by viewing a specially crafted email, and the second an RCE vulnerability in Windows Hyper-V.
Allan Liska of Recorded Future additionally highlighted CVEs 2020-16911, an RCE vulnerability that exists in how Windows Graphics Device Interface handles objects in memory, exploitable through luring the target to a compromised website with a specially crafted document, and -16909, a privilege escalation vulnerability in Windows Error Reporting that affects Windows 10 and Windows Servers 2016 and 2019.
Although lighter than it has been for many months, October’s Patch Tuesday still warrants close attention, according to Gill Langston, head security nerd at SolarWinds MSP, who said: “I recommend addressing the Windows TCP/IP vulnerabilities first, with highest priority on any internet-facing systems. Then get those RDP servers patched, since Remote Desktop seems to be one of the most popular attack vectors these days.
“Next, turn your focus towards patching your Hyper-V systems, and then patching workstations, especially those running Outlook, and finally your SharePoint servers, which by now should be a regular part of your routine, considering the volume of SharePoint vulnerabilities fixed this year.”
Justin Knapp, product marketing manager at Automox, added: “This may not be a record-breaking month in terms of overall quantity, but October poses a familiar challenge that continues to persist in the form of delayed patch deployment, unfortunately increasing risk at a time when attack frequency is going up.
“With remote work complicating matters further, we are witnessing a major shift within the IT landscape to lean on cloud-based solutions for distribution just to keep pace with the endless flow of updates across an increasingly distributed workforce.”