Microsoft patches 87 vulnerabilities in October 2020 Patch Tuesday update
Twelve of them are listed as 'Critical'
Microsoft has released its October 2020 Patch Tuesday update, addressing a total of 87 security vulnerabilities across 12 products.
Of the 87 security bugs fixed this month, 12 are listed as 'critical', meaning that malicious actors can exploit them to gain full control over a vulnerable system with little or no help from users.
Seventy-four vulnerabilities are classified as 'important', while one is 'moderate' in severity.
The October 2020 security release covers a wide range of software, including Microsoft Windows, Visual Studio, Microsoft Exchange Server, Microsoft Dynamics, Microsoft JET Database Engine, Microsoft Office and Microsoft Office Services and Web Apps, Open Source Software, Azure Functions, Microsoft .NET Framework, PowerShellGet, Adobe Flash Player and Microsoft Windows Codecs Library.
None of the flaws fixed this month is known to have been publicly exploited, Microsoft said.
The most newsworthy fix this month is for the Critical-rated CVE-2020-16898 vulnerability impacting Windows 10 and Windows Server 2019. This bug exists in the Windows TCP/IP stack and could allow malicious actors to take over an unpatched system after performing remote code execution on the machine.
Hackers can exploit the bug by sending malicious ICMPv6 Router Advertisement packets to a vulnerable Windows computer via a network connection.
CVE-2020-16898 earned a CVSS Score of 9.8 out of 10, suggesting that attacks in the wild are extremely likely.
Security vendor McAfee warns that CVE-2020-16898 is "wormable" and can be weaponised into a threat that spreads quickly within networks.
"The update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets," Microsoft said.
CVE-2020-16947 is a critical vulnerability which impacts Microsoft Outlook software. An attacker can exploit this bug by tricking a user with a vulnerable Outlook version to open a specially crafted file. The attack also works when a user views an email in the preview pane.
"The Preview Pane is an attack vector here, so you don't even need to open the mail to be impacted," ZDI's Dustin Childs said in an online post.
CVE-2020-16891 is a critical Windows Hyper-V RCE bug, which could allow an attacker to run a specially crafted program on a vulnerable guest OS and eventually execute arbitrary code on the host OS. This bug received a score of 8.8 on CVSS scale.
CVE-2020-16911 (GDI+ RCE vulnerability) and CVE-2020-16915 (Media Foundation Memory Corruption vulnerability) are other interesting critical bugs addressed by Microsoft in its October Patch Tuesday.
More on Threats and Risks
Microsoft leads offensive against TrickBot infrastucture ahead of US election day
The US government and cyber security experts see ransomware attacks as one of the biggest threats to the upcoming elections
Russian-speaking hackers use 'MontysThree' toolset on industrial targets
The attacks have been ongoing since 2018
Kaspersky uncovers second-ever UEFI-based malware attacks
Because UEFI lives within a flash memory chip, any malware injected into it can survive reboots, formats and OS reinstalls
Iranian APT group actively exploiting ZeroLogon vulnerability
Microsoft is again urging IT admins to patch their systems to protect data from hackers
Curbing the rise of fake domains and misinformation campaigns
A failure to curb the growing problem of misinformation could have serious repercussions for the Internet and for society as a whole
