This month’s Microsoft Patch Tuesday addresses 87 vulnerabilities with 11 of them labeled as Critical. The 11 Critical vulnerabilities cover TCP/IP Stack, SharePoint, Windows Camera Codec Pack, Graphics and several other workstation vulnerabilities. Adobe issued patches today for Adobe Flash Player.
Continuing the trend, today’s Patch Tuesday fixes many vulnerabilities that impact workstations. The Windows Camera Codec, GDI+, Browser, Hyper-V, Outlook, Media Foundation and Graphics components vulnerabilities should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
Windows TCP/IP RCE
An extremely critical Remote Code Execution vulnerability (CVE-2020-16898) is fixed today. Microsoft ranks this vulnerability as “Exploitation More Likely,” and according to Microsoft and the researchers at McAfee, the vulnerability is wormable. It is highly recommended to prioritize these patches on all Windows 10, including Microsoft DNS Servers.
This vulnerability allows attackers to take complete control over Windows systems by sending malicious ICMPv6 Router Advertisement packets to vulnerable systems.
Two remote code execution vulnerabilities (CVE-2020-16951, CVE-2020-16952) are patched in Sharepoint Server that would allow an authenticated user on a guest system to perform security actions for an application pool process. Microsoft notes that exploitation of this vulnerability is less likely, but these patches should still be prioritized for all SharePoint servers.
A remote code execution vulnerability CVE-2020-16923 is patched in the Graphics component that could be exploited once a user opens a specially crafted file. Based on the information given, this should be prioritized across all Windows servers and workstations.
While none of the vulnerabilities disclosed in Adobe’s release are known to be Actively Attacked today, all patches should be prioritized on systems with these products installed.