16 October 2020

Vulnerability summary for the week: October 16, 2020


Vulnerability summary for the week: October 16, 2020

As part of its monthly security updates release Microsoft fixed a total of 87 vulnerabilities across numerous products, including a remote code-execution issue (CVE-2020-16898) in the TCP/IP stack, which allows attackers to execute arbitrary code with elevated privileges using a specially crafted ICMPv6 router advertisement.

Other notable bugs include an RCE vulnerability (CVE-2020-16947) impacting Microsoft Outlook, a critical Windows Hyper-V RCE bug (CVE-2020-16891), the issues in Windows Camera Codec (CVE-2020-16967 and CVE-2020-16968), RCE vulnerabilities in SharePoint Server (CVE-2020-16951 and CVE-2020-16952), Media Foundation Library (CVE-2020-16915), the Base3D rendering engine (CVE-2020-17003), Graphics components (CVE-2020-16923), and the Windows Graphics Device Interface (CVE-2020-16911)

Adobe issued a security update for a critical remote code execution vulnerability in Adobe Flash Player that could be exploited by simply visiting a website. The vulnerability, tracked as CVE-2020-9746, could be exploited by inserting malicious strings in an HTTP response that is by default delivered over TLS/SSL. Adobe Flash Player v32.0.0.445 resolves this flaw.

NetBSD USB network interface drivers have been found to contain a high risk vulnerability, which allows a remote attacker to execute arbitrary code on the target system. The problem stems from boundary errors within multiple USB network interface drivers. The issue affects the following USB network interfaces:

  • atu(4)

  • axe(4)

  • axen(4)

  • otus(4)

  • run(4)

  • ure(4)

Juniper Junos OS has a dangerous vulnerability (CVE-2020-1667), which allows a remote attacker to elevate privileges on the system. The following Juniper Networks Junos OS versions were found to be affected by CVE-2020-1667:

  • 17.3 versions prior to 17.3R3-S8;

  • 18.3 versions prior to 18.3R3-S1;

  • 18.4 versions prior to 18.4R3;

  • 19.1 versions prior to 19.1R3;

  • 19.2 versions prior to 19.2R2;

  • 19.3 versions prior to 19.3R3.

Trend Micro Antivirus for Mac contains a couple of vulnerabilities (CVE-2020-25777, CVE-2020-25778) that could allow a remote attacker to compromise the system or gain access to sensitive data.

ARC Informatique PcVue HMI/SCADA solution contains multiple vulnerabilities, the most severe of which (CVE-2020-26867) allows remote code execution.

Multiple vulnerabilities exist in Allen-Bradley Flex IO 1794-AENT series B communication adapter. All of them are denial of service (DoS) issues that can be used to trigger denial-of-service condition by sending malicious packets on the device.

Linux kernel contains Bluetooth vulnerabilities (CVE-2020-12351, CVE-2020-12352, CVE-2020-24490) that could be exploited to execute arbitrary code or access sensitive information. The most dangerous of these bugs is CVE-2020-12351, a heap-based type confusion that impacts Linux kernel 4.8 and higher, which can lead to denial of service or execution of arbitrary code, with kernel privileges.

Back to the list

Latest Posts

French healthcare software company Apodis Pharma leaked over 1.7 TB of confidential data

French healthcare software company Apodis Pharma leaked over 1.7 TB of confidential data

The exposed database contained confidential business-related data, including pharmaceutical sales data and full names of Apodis Pharma partners and employees.
2 December 2020
DarkIRC botnet is actively targeting vulnerable Oracle WebLogic servers

DarkIRC botnet is actively targeting vulnerable Oracle WebLogic servers

The researchers found more than 3,000 internet-exposed Oracle WebLogic servers potentially vulnerable to attacks exploiting CVE-2020-14882.
2 December 2020
Malicious npm packages caught distributing Bladabindi RAT

Malicious npm packages caught distributing Bladabindi RAT

The two packages named jdb.js and db-json.js were created by the same author and were posing as the legitimate jdb and db-json libraries.
2 December 2020