Microsoft patched 87 vulnerabilities, including 21 RCE bugs

by Emma Davis
October 14, 2020
Microsoft patched 87 vulnerabilities
Written by Emma Davis

As part of October Patch Tuesday, Microsoft patched 87 vulnerabilities in its products, including 11 critical vulnerabilities and 21 remote code execution (RCE) issues.

The fixed bugs affected Windows itself, Office, Office Services and Web Apps, Visual Studio, Azure Functions, Azure Sphere, .NET Framework, Microsoft Dynamics, Exchange Server, Windows Codecs Library, and so on.

It is reported that, according to experts, none of the vulnerabilities were under attack.

The most dangerous problem of this month was the bug CVE-2020-16898, which is an RCE bug in the Windows TCP/IP stack, which received 9.8 points out of 10 on the CVSS vulnerability rating scale.

This vulnerability could allow an attacker to take full control of a Windows machine by sending malicious ICMPv6 Router Advertisement packets over a network connection.said Microsoft representatives.

Microsoft engineers that discovered this issue state that Windows 10 and Windows Server 2019 are vulnerable to it.

If the installation of updates is impossible for some reason, it is strongly recommended to use at least workarounds to fix the bug, including temporarily disabling ICMPv6 RDNSS support.

McAfee experts point out that such a problem may have the potential of a worm, that is, hackers can launch attacks that will spread from one vulnerable computer to another without human intervention.

Researchers from SophosLabs have published a video demonstrating how the vulnerability can be used to provoke a blue screen of death (BSoD) and named the bug Ping of Death.

Let me remind you that this is not the first extremely dangerous vulnerability in Windows, discovered in the “happy” 2020.

Another high-profile vulnerability of this month that deserves special mention is CVE-2020-16947, which allows remote code execution in Outlook. Microsoft claims that this error can be exploited by tricking a user into opening a specially crafted file in a vulnerable version of Microsoft Outlook (that is, getting a malicious email from attackers is enough).

The attack vector here is the preview panel, so you can get hurt without even opening the email. The vulnerability is related to the parsing of HTML content in emails. Although Microsoft rated the danger of this vulnerability as low, we already have a working proof-of-concept. Please fix this bug as soon as possible.explains Dustin Childs of the Zero Day Initiative.

What is also worth mentioning is the Windows Hyper-V RCE bug (CVE-2020-16891), which scored 8.8 on the CVSS scale. The problem is related to incorrect validation of the imput from the authenticated user in the guest operating system. By exploiting this issue, an attacker could run a specially crafted program in the guest OS, forcing the Hyper-V host’s OS to execute arbitrary code.

Two more critical RCE flaws (CVE-2020-16967 and CVE-2020-16968) affect the Windows Camera Codec Pack, allowing an attacker to send a malicious file to the victim, which, when opened, will provoke arbitrary code execution in the context of the current user.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

View all posts

Leave a Reply

Sending