[ad_1]
Adobe and Microsoft each released a slew of updates today to address critical security holes in their software. Microsoft’s release includes fixes for 112 separate vulnerabilities, including a zero-day vulnerability that is already being exploited to attack Windows users. Microsoft is also taking criticism for changing its security advisories and limiting the amount of information disclosed about each bug.
Some of the 112 issues fixed in today’s patch bundle involve “critical” issues in Windows, or those that can be exploited by malware or malcontents to gain complete remote control of a vulnerable Windows computer. without any help from users.
Most of the rest were rated “important,” which in Redmond parlance refers to a vulnerability the exploitation of which could “compromise the confidentiality, integrity or availability of user data, or the integrity or availability of treatment resources ”.
One of the main concerns with all of these updates this month is CVE-2020-17087, which is a “significant” bug in the Windows kernel which is already seeing active exploitation. CVE-2020-17087 is not listed as critical because it is a so-called privilege escalation vulnerability that would allow an attacker who has already compromised a less powerful user account on a system to obtain administrative control. Essentially, it should be chained with another feat.
Unfortunately, that’s exactly what Google researchers described recently. October 20, Google released an update for its Chromium browser which fixed a bug (CVE-2020-15999) which was seen used in conjunction with CVE-2020-17087 to compromise Windows users.
If you take a look at today’s Microsoft advisory for CVE-2020-17087 (or any of today’s batch), you might notice that they seem a bit rarer. Indeed, Microsoft has chosen to restructure these reviews around the CVSS (Common Vulnerability Scoring System) format to more closely align the review format with that of other major software vendors.
But in doing so, Microsoft has also removed some useful information, such as the description explaining in general terms the scope of the vulnerability, how it can be exploited and what could be the result of the exploitation. Microsoft explained its reasoning behind this change in a blog post.
Not everyone is happy with the new format. Bob huber, security manager at Tenable, praised Microsoft for adopting an industry standard, but said the company should consider people reviewing Patch Tuesday releases not to be security practitioners, but rather IT peers responsible for applying updates who often are not able (and should not have to) decrypt raw CVSS data.
“With this new format, end users are completely blind to how a particular CVE affects them,” Huber said. “Plus, it makes it almost impossible to determine the urgency of a given fix. It is difficult to understand the benefits for end users. However, it’s not too hard to see how this new format benefits bad actors. They’ll reverse engineer the fixes, and since Microsoft won’t be explicit about the details of the vulnerability, the benefit goes to attackers, not defenders. Without the proper context for these VECs, it becomes increasingly difficult for advocates to prioritize their remediation efforts. “
Dustin Childs with Trend MicroZero Day Initiative was also puzzled by the lack of details included in Microsoft notices related to two other flaws fixed today – including one in Microsoft Exchange Server (CVE-2020-16875) and CVE-2020-17051, which is a frightening weakness in the Windows Network File System (NFS).
The swap issue, Childs said, was first reported by the winner of the Pwn2Own Miami bug research competition.
“With no details provided by Microsoft, we can only assume that this is the CVE-2020-16875 bypass that he previously mentioned,” Childs said. “It is very likely that he will publish details of these bugs soon. Microsoft thinks this is important, but I would rate it as critical, especially since people seem to have a hard time patching Exchange. “
Likewise, with CVE-2020-17051, there was a noticeable lack of detail for the bug which achieved a CVSS score of 9.8 (10 is most dangerous).
“With no description to work from, we have to rely on CVSS to provide clues to the real risk of the bug,” Childs said. “Think of this as no user interaction with low attack complexity, and since NFS is a network service, you should treat it as a dewormer until we learn otherwise.”
In addition, Adobe today released updates to address at least 14 security holes in Adobe Acrobat and Reader. Details on these fixes are available here. There are no security updates for Adobe’s Flash Player, which Adobe says will be retired at the end of the year. Microsoft, which bundled versions of Flash with its web browsers, announced plans to release an update in December that will remove Flash from Windows PCs, and last month it made the removal tool available for download.
Windows 10 users should be aware that the operating system will download updates and install them on its own schedule, shutting down active programs and restarting the system. If you want to make sure that Windows has been configured to pause updating so that you can back up your files and / or your system, check out this guide.
But please back up your system before applying any of these updates. Windows 10 even has built-in tools to help you do this, either by file / folder, or by creating a full, bootable copy of your hard drive in one go.
As always, if you have any issues or issues installing any of these fixes this month, consider leaving a comment about it below; there is a better chance that even other readers have been through the same thing and can provide some useful advice here.
Keywords: Bob Huber, CVE-2020-15999, CVE-2020-16875, CVE-2020-17051, CVE-2020-17087, Dustin Childs, Microsoft Exchange Server, Tenable, trend micro, Windows Network File System, Zero Day Initiative
[ad_2]
Source link