2 min

Tags in this article

, , , ,

This month’s security patch release addresses critical vulnerabilities including a Windows kernel flaw.

It’s that time of the month when Microsoft issues security patches, and the November 2020 release is a sizeable one. In all, Microsoft has released fixes for 112 newly discovered security vulnerabilities, including an actively exploited zero-day flaw disclosed by Google’s security team last week.

Microsoft has rated 17 of of the patches as Critical, 93 as Important, and two as Low in severity. The size of this rollout once again brings the patch count over 110 after we had seen a drop last month.

The release affects multiple Microsoft products

The security updates encompass a range of software, including Microsoft Windows, Office and Office Services and Web Apps, Internet Explorer, Edge, ChakraCore, Exchange Server, Microsoft Dynamics, Windows Codecs Library, Azure Sphere, Windows Defender, Microsoft Teams, and Visual Studio.

The 112 flaws include a Windows zero-day bug which Google discovered last month. Hackers are actively exploiting this bug in the field.

The flaw, tracked as CVE-2020-17087 ranks as “important” on the US government’s CVSS scale. It resides in the Windows Kernel Cryptography Driver. It is an elevation of privilege vulnerability that could allow an attacker to perform a sandbox escape.

Attackers exploit this flaw in tandem with another zero-day flaw. The second flaw is CVE-2020-15999 and affects FreeType, a software development library that is also a part of Google’s Chrome browser.

Google’s Project Zero uncovered both security flaws. They have determined that chaining them together could allow an attacker to compromise and gain administrator-level access to a system.

Among those ranked as critical, one earned a very high 9.8 out of 10 on the CVSS scale. This vulnerability is tracked as CVE-2020-17051 and can be found in the Windows Network File System. The bug is categorized as a remote code execution (RCE) flaw whose exploitation is “more likely”.

Microsoft has identified another RCE vulnerability where they see exploitation as “more likely.” This is the flaw affecting Microsoft SharePoint and indexed as CVE-2020-17061.

Microsoft highly recommends that Windows users and system administrators apply the latest security patches to resolve the threats associated with these issues as soon as possible.

Tip: Microsoft has lost its grip on the Windows 10 update process