New Security update by Microsoft on this Patch Tuesday
Patch Tuesday is the term used by Microsoft for the day each month when it releases security and other patches for the operating systems and other software. Patch Tuesday is always on the second Tuesday of each month. It is now being referred to as the Update Tuesday. Microsoft, on the Patch Tuesday, released a new security update that fixes 87 newly discovered security issues. The update was a part of its October 2020 Patch. The issues found include two critical RCE (remote code execution) flaws in Windows TCP/IP stack and Microsoft Outlook.
Eleven of the flaws found are categorized as Critical, and 75 are ranked as Important while one is classified Moderate in severity. These flaws affect Windows, MS- Office and Office Services, also Web Apps, Visual Studio, Azure Functions, Open Source Software, Exchange Server, .NET Framework, Microsoft Dynamics, and the Windows Codecs Library. Six of these flaws are listed as publicly known at the time of release and none of them are labeled as active attacks.
The scariest of all the bugs are probably CVE-2020-16898, which is an awful bug in Windows 10 and Windows Server 2019. It could be used to install malware just by sending an ill-informed packet of data at a vulnerable system. CVE-2020-1689 scored 9.8 out of 10 (10 being the worst) on CVSS. Security experts at McAfee called this type of bug a Bad neighbor as it could be made wormable, and allow the hackers to launch a series of attacks that can spread from one computer to another without any human interaction.
The second bug to keep an eye on is CVE-2020-16947, which centers around an RCE flaw in affected versions of Outlook that can allow some code execution just by viewing a specially crafted email. Microsoft’s advisory read, if the user is logged on with administrative user rights, an attacker could be able to take control of the affected system. The attacker could then conveniently install programs, view, change, or delete data; or create new accounts as it has full user rights.
For those of you who have been waiting for a Flash Player patch from Adobe, your days of waiting are finally over. After many months without the Flash fixes, Adobe has released an update that fixes a single, critical flaw in the program that attackers could use to install malicious stuff on your computer that to just by getting you to visit a malicious website.
The patch also addresses a privilege escalation flaw- CVE-2020-16909 related to the Windows Error Reporting (WER) component.
The flaw could allow an authenticated hacker to run malicious applications with elevated privileges and gain access to any sensitive information. Some other critical bugs fixed by Microsoft in this month’s update are RCE flaws in SharePoint, Media Foundation Library, Windows Graphics Device Interface (GDI), and Base3D rendering engine, Graphics Components.
We highly recommend that Windows users and system administrators install and apply the latest security patches to diminish the threats associated with these issues. The attackers may have a head start to figure out a way around these flaws, as they had already been released to the public. To install the latest security updates- go to Start > Settings > Update & Security > Windows Update, or by clicking on Check for Windows updates.