Patch Tuesday – November 2020
This month Microsoft patches a Windows kernel zero-day flaw that is being exploited by hackers. Excel, SharePoint and Exchange Server also get patches for remote code execution (RCE) flaws.
Common Vulnerability Scoring System
Microsoft has updated its Security Update Guide to better comply with the Common Vulnerability Scoring System (CVSS). CVSS provides a precise way to describe vulnerabilities with details like attack vector, complexity, and whether a hacker needs elevated privileges to run a successful attack.
Previously, Microsoft provided three-paragraph descriptions of each vulnerability. In the new Security Update Guide, score metrics for different attributes are used to describe bugs instead. The new scoring systems appears to make sense in many ways. But it does mean that unless the details are revealed elsewhere, I won’t be able to provide descriptions of how bugs could be used to exploit Windows.
Windows and Windows Server
Following an update (CVE-2020-15999) from Google for its Chrome browser in October, Microsoft released a patch for a zero-day (CVE-2020-17087) in the Windows kernel that in combination with the Chrome flaw, could be used to gain access to a system. It’s not rated critical because the bug by itself cannot be used to elevate privileges. So, users not logged in with administrator accounts are at less risk. Regardless of the rating, CVE-2020-17087 is already being actively exploited in the wild so it’s important to get your systems patched.
Out of the patches rated critical this month, an RCE affecting the Windows Network File System (NFS) could be used to completely compromise systems without elevated privileges or any user interaction. The remaining critical vulnerability is in the Windows Print Spooler and it requires user interaction for a successful attack.
Internet Explorer 11 gets two patches for RCE flaws rated critical. IE11 is the default browser for users still on Windows 7 and it is also included out-of-the-box in Windows 10. Microsoft Edge (HTML), i.e. the legacy version of the browser, also gets one important and one critical RCE patch.