As part of its monthly security updates release Microsoft fixed a total of 87 vulnerabilities across numerous products, including a remote code-execution issue (CVE-2020-16898) in the TCP/IP stack, which allows attackers to execute arbitrary code with elevated privileges using a specially crafted ICMPv6 router advertisement.
Other notable bugs include an RCE vulnerability (CVE-2020-16947) impacting Microsoft Outlook, a critical Windows Hyper-V RCE bug (CVE-2020-16891), the issues in Windows Camera Codec (CVE-2020-16967 and CVE-2020-16968), RCE vulnerabilities in SharePoint Server (CVE-2020-16951 and CVE-2020-16952), Media Foundation Library (CVE-2020-16915), the Base3D rendering engine (CVE-2020-17003), Graphics components (CVE-2020-16923), and the Windows Graphics Device Interface (CVE-2020-16911)
Adobe issued a security update for a critical remote code execution vulnerability in Adobe Flash Player that could be exploited by simply visiting a website. The vulnerability, tracked as CVE-2020-9746, could be exploited by inserting malicious strings in an HTTP response that is by default delivered over TLS/SSL. Adobe Flash Player v32.0.0.445 resolves this flaw.
NetBSD USB network interface drivers have been found to contain a high risk vulnerability, which allows a remote attacker to execute arbitrary code on the target system. The problem stems from boundary errors within multiple USB network interface drivers. The issue affects the following USB network interfaces:
-
atu(4)
-
axe(4)
-
axen(4)
-
otus(4)
-
run(4)
-
ure(4)
Juniper Junos OS has a dangerous vulnerability (CVE-2020-1667), which allows a remote attacker to elevate privileges on the system. The following Juniper Networks Junos OS versions were found to be affected by CVE-2020-1667:
-
17.3 versions prior to 17.3R3-S8;
-
18.3 versions prior to 18.3R3-S1;
-
18.4 versions prior to 18.4R3;
-
19.1 versions prior to 19.1R3;
-
19.2 versions prior to 19.2R2;
-
19.3 versions prior to 19.3R3.
Trend Micro Antivirus for Mac contains a couple of vulnerabilities (CVE-2020-25777, CVE-2020-25778) that could allow a remote attacker to compromise the system or gain access to sensitive data.
ARC Informatique PcVue HMI/SCADA solution contains multiple vulnerabilities, the most severe of which (CVE-2020-26867) allows remote code execution.
Multiple vulnerabilities exist in Allen-Bradley Flex IO 1794-AENT series B communication adapter. All of them are denial of service (DoS) issues that can be used to trigger denial-of-service condition by sending malicious packets on the device.
Linux kernel contains Bluetooth vulnerabilities (CVE-2020-12351, CVE-2020-12352, CVE-2020-24490) that could be exploited to execute arbitrary code or access sensitive information. The most dangerous of these bugs is CVE-2020-12351, a heap-based type confusion that impacts Linux kernel 4.8 and higher, which can lead to denial of service or execution of arbitrary code, with kernel privileges.