Microsoft released patches for 112 unique common vulnerabilities and exposures (CVEs), 17 of which were considered critical.
Of the 17 critical patches, 12 were tied to remote code execution (RCE) bugs. Overall, the vast majority of the CVEs – 93 – were rated important and two rated low in severity.
The updates this month affect the following: Windows OS, Office and Office 365, Internet Explorer, Edge, and Edge Chromium, Microsoft Exchange Server, Microsoft Dynamics, Azure Sphere, Windows Defender, Microsoft Teams, Azure SDK, DevOps, ChakraCore, and Visual Studio.
There was one Windows vulnerability, CVE-2020-17087, that has been exploited in the wild. This vulnerability already operates as an “elevation of privilege” vulnerability in the Windows kernel cryptography driver, which lets an attacker elevate their privileges on the system.
Although the vulnerability has only been rated as “Important” by Microsoft, Todd Schell, senior product manager of security at Ivanti said it’s a zero-day and has been publicly disclosed. This means attackers have already been using it in the wild and information on how to exploit it has been distributed publicly, allowing additional threat actors easy access to reproduce this exploit. In fact, CVE-2020-17087 was discovered by Google researchers as being exploited in tandem with a Google Chrome flaw (CVE-2020-15999), for which an update was made available on October 20. Microsoft said security teams should resolve the two vulnerabilities as soon as possible.
Jay Goodman, strategic product marketing manager at Automox, said in a blog that Microsoft’s recent set of patches could very well strain VPN infrastructure at companies again. He said many organizations are likely to encounter VPN failures or downtime from legacy on-premises patch management tools buckling under the pressure.
“VPNs are not designed to extend the IT perimeter and with a large number of remote employees and devices, we face a situation where there’s no functional perimeter for an organization,” Goodman said. “Many organizations committed to solving these problems in the short-term by expanding their VPNs to meet the new demands for remote workforces. However, we now see that these knee-jerk reactions are not able to continue to scale as organizations realize this change is no longer temporary.”