Welcome back to another instalment of the Softcat Post-Patch Tuesday roundup. It’s a big month, with Microsoft once again dropping a large batch of updates and a number of other substantial patches also being released by other vendors. Let’s get started…
With 112 fixes, of which 17 are considered critical, we’re back on familiar ground in terms of the size of Microsoft’s update this month. Despite the number of updates, there’s only really a couple that need digging into. The headline bug fix is CVE-2020-17087, an elevation of privilege vulnerability affecting the Windows Kernel. Reported by Google, and being actively exploited in the wild, this bug can be used by an attacker to gain additional privileges on a compromised device. Google demonstrated this by achieving a sandbox escape from their Chrome browser using this bug; sandboxing is a common technique to ringfence processes and prevent the code running in them from interacting with more sensitive parts of the operating system. Being able to break out from the sandbox enables an attacker to start looking for other vulnerabilities to exploit in their quest to compromise the machine.
Microsoft Exchange email server is once again targeted by a pair of bugs, both of which enable Remote Code Execution. CVE-2020-17083 and CVE-2020-17084 affect all supported versions of Exchange and could be exploited by tricking a user into opening a crafted email. Further details are scant at the moment, with some speculation that the bugs could be used to bypass the fix for CVE- 2020-16875 which was dealt with back in August.
We’ve mentioned the impending end-of-life for Adobe Flash Player a few times over the last year, and we’re now down to the final warning. The aging product has been the subject of many security bugs over the years and will no longer be updated from December. Microsoft are planning to release a tool as part of December 2020’s Patch Tuesday which will actively remove it from Windows machines, which could leave enterprises in a difficult situation if their migration away from Flash-based applications is not yet complete.
Aside from the Flash concerns, Acrobat and Reader get a number of bug fixes, including 4 Critical arbitrary code execution flaws which can be triggered by opening a malformed PDF.