This month’s Microsoft Patch Tuesday addresses 112 vulnerabilities with 17 of them labeled as Critical. The 17 Critical vulnerabilities cover Windows Codecs, Network File System, Sharepoint, Windows Print Spooler, and several other workstation vulnerabilities. Adobe released patches today for Adobe Connect and Adobe Reader for Android.
The Windows Codecs, GDI+, Browser, Office and Exchange Server vulnerabilities should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
Microsoft patched six vulnerabilities in SharePoint, and one of them could lead to Remote Code Execution (CVE-2020-17061). Three of these vulnerabilities (CVE-2020-17016, CVE-2020-17015, CVE-2020-17060) involve spoofing vulnerabilities, and two (CVE-2020-16979, CVE-2020-17017) involve information disclosure vulnerabilities. The remaining one (CVE-2020-17061) is a remote code execution vulnerability. Because of this, it is highly recommended to prioritize these patches across all SharePoint deployments.
Windows Kernel Privilege Escalation
While listed as Important, there is an Actively Attacked vulnerability (CVE-2020-17087) in Microsoft Windows. This privilege escalation vulnerability was publicly disclosed by Google in late October. According to Google’s Project Zero security researchers Mateusz Jurczyk and Sergei Glazunov, the bug allows an attacker to escalate their privileges in Windows. This patch should be prioritized across all Windows devices.
Windows Network File System RCE
Microsoft fixed a vulnerability in Network File System (NFS) (CVE-2020-17051). This CVE received a CVSS score of 9.8 with low attack complexity without any user interaction. This has a potential of wormable and should be prioritized.
Print Spooler RCE
Microsoft also patched a Remote Code Execution vulnerability in Print Spooler (CVE-2020-17042), which would lead to elevation of privileges. The exploit requires user interaction but has a low attack complexity which makes it more likely to be compromised. This patch should be prioritized.
While none of the vulnerabilities disclosed in Adobe’s release are known to be Actively Attacked today, all patches should be prioritized on systems with these products installed.