Microsoft formally introduced fixes for 112 newly found out security vulnerabilities as element of its November 2020 Patch Tuesday, which includes an actively exploited zero-day flaw disclosed by Google’s safety staff past 7 days.
The rollout addresses flaws, 17 of which are rated as Vital, 93 are rated as Crucial, and two are rated Very low in severity, after again bringing the patch depend more than 110 after a fall very last month.
The stability updates encompass a variety of software package, which includes Microsoft Windows, Place of work and Business office Products and services and World-wide-web Apps, Internet Explorer, Edge, ChakraCore, Trade Server, Microsoft Dynamics, Windows Codecs Library, Azure Sphere, Home windows Defender, Microsoft Teams, and Visual Studio.
Main among the these fastened is CVE-2020-17087 (CVSS score 7.8), a buffer overflow flaw in Home windows Kernel Cryptography Driver (“cng.sys”) that was disclosed on October 30 by the Google Job Zero workforce as being used in conjunction with a Chrome zero-day to compromise Home windows 7 and Home windows 10 consumers.
For its element, Google produced an update for its Chrome browser to address the zero-working day (CVE-2020-15999) past thirty day period.
Microsoft’s advisory about the flaw will not go into any aspects past the simple fact that it was a “Windows Kernel Local Elevation of Privilege Vulnerability” in aspect to restructure protection advisories in line with the Typical Vulnerability Scoring System (CVSS) format starting this month.
Outside of the zero-day, the update fixes a quantity of distant code execution (RCE) vulnerabilities impacting Exchange Server (CVE-2020-17084), Network File Technique (CVE-2020-17051), and Microsoft Teams (CVE-2020-17091), as nicely as a safety bypass flaw in Home windows Hyper-V virtualization software package (CVE-2020-17040).
CVE-2020-17051 is rated 9.8 out of a utmost 10 on the CVSS rating, earning it a important vulnerability. Microsoft, even so, famous that the attack complexity of the flaw — the situations further than the attacker’s regulate that need to exist in get to exploit the vulnerability — is minimal.
As with the zero-day, the advisories associated with these protection shortcomings are gentle on descriptions, with little to no information and facts on how these RCE flaws are abused or which protection characteristic in Hyper-V is becoming bypassed.
Other crucial flaws mounted by Microsoft this month include things like memory corruption vulnerabilities in Microsoft Scripting Engine (CVE-2020-17052) and Online Explorer (CVE-2020-17053), and multiple RCE flaws in HEVC Video clip Extensions Codecs library.
It really is really proposed that Windows end users and program directors utilize the hottest protection patches to solve the threats related with these concerns.
To put in the most recent safety updates, Windows buyers can head to Start off > Settings > Update & Protection > Home windows Update, or by deciding on Test for Windows updates.