Microsoft rolled out this week a batch of security updates as part of its November 2020 Patch Tuesday release that address a total of 112 vulnerabilities across multiple products, including a zero day bug in Windows kernel.
The zero day bug, tracked as CVE-2020-17087, is described as a privilege escalation vulnerability in the Windows Kernel Cryptography Driver (cng.sys). The flaw impacts all currently supported versions of the Windows OS, including all versions after Windows 7, and all Windows Server distributions.
In addition to the Windows zero day Microsoft addressed nearly two dozen high risk vulnerabilities in various products, including an RCE flaw in Internet Explorer (CVE-2020-17053), an out-of-bounds read in Chakra Scripting Engine (CVE-2020-17048), several RCE bugs in Azure Sphere, Network File System (NFS), Exel, Microsoft Office Access Connectivity Engine (CVE-2020-17062), as well as Microsoft Windows’ Print Spooler, and a number of video and image file extensions [1, 2, 3, 4]. The November 2020 Patch Tuesday release also fixes a critical vulnerability (CVE-2020-17091) in Microsoft Teams, which, if exploited, could lead to a complete compromise of the target system.
Google continues to address zero day bugs in its Chrome browser. This week tech giant released Chrome version 86.0.4240.198 for Windows, Mac, and Linux, which contains fixes for two zero day vulnerabilities that were exploited in the wild. That makes it a total of five zero days patched by Google in recent weeks.
The two zero days are tracked as CVE-2020-16013 and CVE-2020-16017. The first one is described as an inappropriate implementation in V8, which can lead to a system takeover, while the second flaw is a use-after-free issue within the site isolation component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Intel has issued security updates designed to fix multiple vulnerabilities across its products, including critical ones (CVE-2020-12313, CVE-2020-12317) affecting Intel PROSet/Wireless WiFi solutions. The first one exists due to improper management of internal resources in some Intel(R) PROSet/Wireless WiFi products before version 21.110 and allows remote code execution, while the latter is a boundary error issue that lets a remote attacker to compromise the affected system.
Mozilla patched a high risk vulnerability (CVE-2020-26950) that impacts Mozilla Thunderbird, Firefox and Firefox ESR. The issue is a use-after-free flaw which stems from use-after-free error when processing HTML content, caused by MCallGetProperty opcode write side effects. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a use-after-free error and execute arbitrary code on the system and thus compromise the system.
Adobe issued patches covering multiple vulnerabilities in Reader for Android and Adobe Connect. The Adobe Reader Mobile vulnerability (CVE-2020-24441) allows a remote attacker can bypass implemented security restrictions and gain unauthorized access to sensitive information. Two bugs in Adobe Connect, tracked as CVE-2020-24442 and CVE-2020-24443 could be exploited by a remote attacker to perform cross-site scripting (XSS) attacks and steal sensitive data.
SaltStack infrastructure automation software contains three vulnerabilities, one of which (CVE-2020-25592) is a high risk bug that allows a remote attacker to bypass authentication process and take over the system. Two other flaws are considered not so dangerous (CVE-2020-17490, CVE-2020-16846) though they can be used to elevate privileges on the system or execute arbitrary shell commands. It should be noted that public exploits for CVE-2020-25592 and CVE-2020-16846 are available.