This marks the first time since February that Microsoft patched fewer than 100 CVEs. Leading the pack this month from Microsoft are a TCP/IP-related flaw and a vulnerability in Windows RDP.
Satnam Narang, staff research engineer at Tenable, said the most critical vulnerability released by Microsoft is CVE-2020-16898, a remote code execution vulnerability in the Windows TCP/IP stack. Dubbed “Bad Neighbor” by researchers at McAfee, Narang said the flaw occurs because Windows TCP/IP stack does not properly handle ICMPv6 Router Advertisement packets.
Narang said to exploit this vulnerability an attacker would need to send a malicious ICMPv6 Router Advertisement to a targeted Windows machine. It received a CVSSv3 score of 9.8, the highest score assigned to any vulnerability in this month’s patches. Microsoft also patched CVE-2020-16899, a denial-of-service vulnerability in the Windows TCP/IP stack. Both vulnerabilities were discovered internally by Microsoft and are rated as ‘Exploitation More Likely,’ according to Microsoft’s Exploitability Index.
Microsoft also addressed CVE-2020-16896, an information disclosure vulnerability in Windows RDP. While Microsoft rates this vulnerability as ‘Important’ and it received a CVSSv3 score of 7.5, Microsoft said it’s more likely to be exploited.
“To exploit the flaw, an attacker would need to connect to a system that’s running RDP and send specially-crafted requests to it,” Narang said. “This information could be used by the attacker for further compromise. RDP is a prime target for cybercriminals, especially those looking to launch ransomware attacks. If an organization exposes RDP to the Internet, they need to ensure they’ve taken appropriate steps to harden RDP, which includes ensuring all patches are applied in a timely manner.”
The Adobe updates address a critical vulnerability in Adobe Flash Player for Windows, macOS, Linux and Chrome OS. Adobe defines a critical vulnerability as one that if exploited, would let malicious native-code execute, potentially without a user being aware. Successful exploitation could lead to an exploitable crash, potentially resulting in arbitrary code execution by the user.
Nick Colyer, senior product marketing manager at Automox, said the platforms impacted include Windows RT, Server 2012, Server 2012 R2, Server 2016, Server 2019, and Windows 10 for 32-bit and 64-bit flavors across various build versions. Colyer added that as with most Flash Player vulnerabilities, web-based exploitations are the primary vector of exploitation, but not the only one. He said these vulnerabilities can also get exploited through an embedded ActiveX control in a Microsoft Office document or any application that uses the IE rendering engine.
Colyer recommends making the patches as a security best practice, but for organizations that cannot remove Adobe Flash because of a business-critical function, he recommends mitigating the threat potential of these vulnerabilities by preventing Adobe Flash Player from running altogether via the killbit feature. “Set a Group Policy to turn off instantiation of Flash objects, or limit trust center settings prompting for active scripting elements.” He advised.
Automox also released a blog post on the Microsoft patches. Colyer said CVE-2020-16896 is an information disclosure vulnerability in Windows RDP that’s attributable to the manner in which RDP handles connection requests. Successful exploitation requires a maliciously crafted request to an affected system offering an attacker with read-only access to the Windows RDP server process on the remote host. He added that the exploit itself does not provide for remote code execution, but could get leveraged for additional information gathering in support of further attack and possible system compromise.