This month Microsoft released patches for 87 vulnerabilities with 11 rated “Critical” and 75 “Important” in severity.

All patches have been approved in our patch policy.

With “only” 87 vulnerabilities patched this month, we are getting a break from the 100+ months we’ve seen recently. Most concerning is remote code execution (RCE) vulnerability CVE-2020-16898 (aka “Bad Neighbor”) and a denial of service (DoS) vulnerability CVE-2020-16899. The RCE is likely wormable. If you are unable to apply these patches immediately Microsoft provides a workaround with PowerShell command that does not require a reboot.  See the associated links under “Notable CVEs” below.

CVE-2020-16947 is a Microsoft Outlook RCE vulnerability. Users don’t even need to open the message as the Preview Pane is an attack vector. CVE-2020-16951 and CVE-2020-16952 are RCE vulnerabilities in Microsoft SharePoint.  Six CVEs are publicly known but none are classified as Critical and are patched with the Cumulative Update/Monthly Rollup. Some new SSUs this month as well as a new Adobe Flash update.

 

Disclosed: CVE-2020-16937,CVE-2020-16909,CVE-2020-16901,CVE-2020-16938,CVE-2020-16908,CVE-2020-16885

Exploited: None

 

Security Update Guide

https://portal.msrc.microsoft.com/en-us/security-guidance

 

Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com

 

Affected software include:

• Microsoft Windows
• Microsoft Office and Microsoft Office Services and Web Apps
• Microsoft JET Database Engine
• Azure Functions
• Open Source Software
• Microsoft Exchange Server
• Visual Studio
• PowerShellGet
• Microsoft .NET Framework
• Microsoft Dynamics
• Adobe Flash Player
• Microsoft Windows Codecs Library

 

Microsoft Security Advisories

 

ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:10/13/2020)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001

Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.

 

ADV200012 | October 2020 Adobe Flash Security Update (Published:10/13/2020)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200012

This security update addresses the following vulnerability, which is described in Adobe Security Bulletin APSB20-58: CVE-2020-9746

Please note that in the event of any discrepancies. the definitive source of information (for example, vulnerability severity and impact) is the Adobe Flash bulletin as referenced.

 

Known Issues

All Cumulative Updates/Monthly Rollups may cause issues installing some third-party drivers. This is considered a vendor problem to fix.  There is a potential issue when upgrading to Windows 10 version 1903/1909. Upgrades to Windows 10 version 2004 do not appear affected.

 

Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.

 

“Windows can’t verify the publisher of this driver software”

https://support.microsoft.com/en-us/help/4579311

Applies to: Windows 10/8.1, Windows Server

Symptom: When installing a third-party driver, you might receive the error, “Windows can’t verify the publisher of this driver software”. You might also see the error, “No signature was present in the subject” when attempting to view the signature properties using Windows Explorer.

Workaround: This issue occurs when an improperly formatted catalog file is identified during validation by Windows. Starting with this release, Windows will require the validity of DER encoded PKCS#7 content in catalog files. Catalogs files must be signed per section 11.6 of describing DER-encoding for SET OF members in X.690.

If this happens you should contact the driver vendor or device manufacturer (OEM) and ask them for an updated driver to correct the issue.

 

“Continuing with the installation of Windows will remove some optional features”

https://support.microsoft.com/en-us/help/4577671/windows-10-update-kb4577671

Applies to: Windows 10 upgrades from 1809 and older

Symptom: When updating to Windows 10, version 1903 or Windows 10, version 1909 from any previous version of Windows 10, you might receive a compatibility report dialog with “What needs your attention” at the top and the error, “Continuing with the installation of Windows will remove some optional features. You may need to add them back in Settings after the installation completes.” You might receive this compatibility warning when LOCAL SYSTEM accounts are blocked in a firewall from accessing the internet via HTTP. This is caused by the Windows 10 Setup Dynamic Update (DU) being unable to download required packages.

Workaround: If your device has access to HTTP blocked for LOCAL SYSTEM accounts, to mitigate this issue you can enable HTTP access for the Windows 10 Setup Dynamic Update (DU) using the LOCAL SYSTEM account. After you have allowed access, you can restart installation of the update and you should not see the warning. You can also continue by clicking the OK button or use the /compat IgnoreWarning command to ignore compatibility warnings but this might also ignore other warnings that your device might be affected by.

We are working on a resolution and will provide an update in an upcoming release.

 

Good resource for known issues with Windows 10 patches. Click on the version in the left column for the status of known issues.

Windows 10 release information

https://docs.microsoft.com/en-us/windows/release-information/

 

Monthly Rollup/Security Only/Windows 10/Server 2016,2019 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

 

Security and Quality Rollup

• KB4580345 – Windows 7, Windows Server 2008 R2 (ESU)
• KB4580347 – Windows 8.1, Windows Server 2012 R2
• KB4580382 – Windows Server 2012
• KB4580378 – Windows Server 2008 (ESU)

 

Security Only Update

• KB4580387 – Windows 7, Windows Server 2008 R2 (ESU)
• KB4580358 – Windows 8.1, Windows Server 2012 R2
• KB4580353 – Windows Server 2012
• KB4580385 – Windows Server 2008 (ESU)

 

Cumulative Update for Windows 10

• KB4580327 – Original release version 1507 (OS Build 10240)
• None – Version 1511 (OS Build 10586)
• KB4580346 – Version 1607 “Anniversary Update” (OS Build 14393)
• KB4580370 – Version 1703 “Creators Update” (OS Build 15063)
• KB4580328 – Version 1709 “Fall Creators Update” (OS Build 16299)
• KB4580330 – Version 1803 “Spring Creators Update” (OS Build 17134)
• KB4577668 – Version 1809 “October 2018 Update” (OS Build 17763)
• KB4577671 – Version 1903 “May 2019 Update” (OS Build 18362)
• KB4577671 – Version 1909 “November 2019 Update” (OS Build 18363)
• KB4579311 – Version 2004 “May 2020 Update” (OS Build 19041)

Note: Server 2016 uses the same KB as Windows 10 Version 1607. Server 2019 uses the same KB as Windows 10 Version 1809.

 

• KB4580325 – Security Update for Adobe Flash Player

 

October 2020 updates for Microsoft Office

https://support.microsoft.com/en-us/help/4583495/october-2020-updates-for-microsoft-office

 

Notable CVEs

 

CVE-2020-16891 – Windows Hyper-V Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16891

A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.

An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.

The security update addresses the vulnerability by correcting how Hyper-V validates guest operating system user input.

 

CVE-2020-16898 – Windows TCP/IP Remote Code Execution Vulnerability (Cumulative Update)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898

A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client.

To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.

The update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets.

 

CVE-2020-16899 | Windows TCP/IP Denial of Service Vulnerability (Cumulative Update)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16899

A denial of service vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could cause a target system to stop responding.

To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer. The vulnerability would not allow an attacker to execute code or to elevate user rights directly.

The update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets.

 

CVE-2020-16947 – Microsoft Outlook Remote Code Execution Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16947

A remote code execution vulnerability exists in Microsoft Outlook software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the targeted user. If the targeted user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Outlook software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.

Note that where severity is indicated as Critical in the Affected Products table, the Preview Pane is an attack vector.

The security update addresses the vulnerability by correcting how Outlook handles objects in memory.

 

CVE-2020-16951, CVE-2020-16952 | Microsoft SharePoint Remote Code Execution Vulnerability (KB4486677,KB4484506,KB4484525)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16951

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.

Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.

The security update addresses the vulnerability by correcting how SharePoint checks the source markup of application packages.