Patch Tuesday: Microsoft addresses Windows zero-day vulnerability and 111 others

Patches include one for a zero-day flaw disclosed by Google's researchers last month

Microsoft on Tuesday released its monthly roll-up of security patches, addressing a total of 112 vulnerabilities across a suite of products/platforms.

Of the 112 security flaws fixed this month, 17 are listed as 'critical', 93 are 'important', while two are 'low' in severity.

This month's security update also includes a patch for a Windows zero-day bug which was disclosed by Google's researchers last month, with the claim that it was actively being exploited by cyber actors.

The bug, tracked as CVE-2020-17087, affects Windows Server, Windows 10/RT/8.1/7 and arises due to overflow issue in a Windows component that is used for cryptographic functions.

Google researchers said that hackers were exploiting the bug in combination with a Chrome bug (CVE-2020-15999) to target Windows systems.

Attackers exploited the Chrome vulnerability to execute malicious code inside Chrome and used CVE-2020-17087 to escape the Chrome security sandbox and to elevate the code's privileges to attack the OS.

Google fixed CVE-2020-15999 in Chrome's latest version (86.0.4240.111) which was released last month.

Microsoft rated CVE-2020-17087 as important in severity, likely because a cyber actor would need to have physical access to a vulnerable system in order to exploit the bug.

"Chaining vulnerabilities is an important tactic for threat actors," said Satnam Narang, staff research engineer at Tenable.

"While both CVE-2020-15999 and CVE-2020-17087 were exploited in the wild as zero-days, the Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory with the FBI last month that highlighted threat actors chaining unpatched vulnerabilities to gain initial access into a target environment and elevate privileges. Even though Google and Microsoft have now patched these flaws, it is imperative for organisations to ensure they've applied these patches before threat actors begin to leverage them more broadly."

Another newsworthy fix from Microsoft this month is for the CVE-2020-17051, a remote code execution (RCE) bug existing in Windows' Network File System (NFS).

This bug is specifically worrying because Windows NFS lets users to access files across a network and treat them as if they exist in a local file directory.

Experts fear that attacker can take advantage of this functionality to gain access to critical systems for a long time.

Another notable patch is for CVE-2020-17084, a flaw impacting Exchange Server that could lead to remote code execution.

CVE-2020-17040 is a bypass vulnerability in Windows Hyper-V that could enable an attacker to carry out an attack without authentication or interaction with a user.

Other Microsoft products that have received security patches this month include Microsoft Windows, Microsoft Windows Codecs Library, Office and Office Services and Web Apps, Edge (EdgeHTML-based and Chromium-based), Internet Explorer (IE), ChakraCore, Microsoft Dynamics, Windows Defender, Microsoft Teams, Visual Studio, Azure SDK and Azure DevOps.