Microsoft’s November Patch Tuesday roundup of security fixes tackled an unusually large crop of remote code execution (RCE) bugs. Twelve of Microsoft’s 17 critical patches were tied to RCE bugs. In all, 112 vulnerabilities were patched by Microsoft, with 93 rated important, and two rated low in severity.
Tracked as CVE-2020-17087, one Windows kernel local elevation of privilege vulnerability was red-flagged by Microsoft as being actively exploited in the wild. Last week, the bug was disclosed by Google Project Zero, which reported the flaw was being exploited in the wild alongside a Google Chrome flaw (CVE-2020-15999) – which had been patched on Oct. 20.
Microsoft rated the vulnerability (CVE-2020-17087) as important in severity, likely because an attacker interested in exploiting the bug would need to have physical access to the various installs of Windows Server, Windows 10/RT/8.1/7 impacted by the flaw. According to Google, the bug has to do with the way the Windows Kernel Cryptography Driver (cng.sys) processes input/output control (IOCTL) in a way that cannot be expressed by regular system calls.
“One of the most critical vulnerabilities patched this Tuesday is CVE-2020-17051, a remote code execution (RCE) vulnerability found in Windows’ Network File System (NFS),” wrote Chris Hass, director of information security and research at Automox, in his Patch Tuesday analysis.
He explained, the bug is particularly concerning “because Windows’ NFS is essentially a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory.”
“As you can imagine, with the functionality this service provides, attackers have been taking advantage of it to gain access to critical systems for a long time. It won’t be long before we see scanning of port 2049 increase over the next few days, with exploitation in the wild likely to follow,” he wrote.
Automox researchers also suggested SysAdmins prioritize patches for a pair of critical memory corruption vulnerabilities in Microsoft’s Scripting Engine and Internet Explorer. Both (CVE-2020-17052, CVE-2020-17053) could lead to remote code execution.
“A likely attack scenario would be to embed a malicious link in a phishing email that the victim would click to lead to a compromised landing page hosting the exploit,” Hass wrote.
Descriptions Removed from Patch Tuesday Bulletin
For many Patch-Tuesday veterans, it won’t go unnoticed that starting with November’s bulletin Microsoft removed the description section of the CVE overviews. The new approach was announced on Monday by the Microsoft Security Response Center. It describes a heavier reliance on the industry standard Common Vulnerability Scoring System (CVSS) to provide more generalized vulnerability information for Patch Tuesday security bulletins.
“This is a precise method that describes the vulnerability with attributes such as the attack vector, the complexity of the attack, whether an adversary needs certain privileges, etc.,” Microsoft wrote.
For Zero Day Initiative’s Dustin Childs, the new approach makes sense. He said, in many cases, “an accurate CVSS is really all you need. After all, there’s only so much you can say about another SharePoint cross-site scripting (XSS) bug or a local privilege escalation that requires you to log on and run a specially crafted program. However, CVSS itself is not flawless.”
Tenable’s chief security officer, Bob Huber wasn’t as generous. ”
“Microsoft’s decision to remove CVE description information from its Patch Tuesday release is a bad move, plain and simple. By relying on CVSSv3 ratings alone, Microsoft is eliminating a ton of valuable vulnerability data that can help inform organizations of the business risk a particular flaw poses to them,” he wrote.
He argued that the new format was a blow to security and boon to adversaries. “End-users [will be] completely blind to how a particular CVE impacts them. What’s more, this makes it nearly impossible to determine the urgency of a given patch. It’s difficult to understand the benefits to end-users.”
Huber added: “However, it’s not too difficult to see how this new format benefits bad actors. They’ll reverse engineer the patches and, by Microsoft not being explicit about vulnerability details, the advantage goes to attackers, not defenders. Without the proper context for these CVEs, it becomes increasingly difficult for defenders to prioritize their remediation efforts.”
Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.