Microsoft has pushed out fixes for 87 security vulnerabilities in October – 11 of them critical – and one of those is potentially wormable.
There are also six bugs that were previously unpatched but publicly disclosed, which could give cybercriminals a leg up — and in fact at least one public exploit is already circulating for this group.
This month’s Patch Tuesday overall includes fixes for bugs in Microsoft Windows, Office and Office Services and Web Apps, Azure Functions, Open Source Software, Exchange Server, Visual Studio, .NET Framework, Microsoft Dynamics, and the Windows Codecs Library.
A full 75 are listed as important, and just one is listed as moderate in severity. None are listed as being under active attack, but the group does include six issues that were known but unpatched before this month’s regularly scheduled updates.
“As usual, whenever possible, it’s better to prioritize updates against the Windows operating system,” Richard Tsang, senior software engineer at Rapid7, told Threatpost. “Coming in at 53 of the 87 vulnerabilities, patching the OS knocks out 60 percent of the vulnerabilities listed, along with over half of the critical RCE vulnerabilities resolved today.”
One of the most notable critical bugs, according to researchers, is a remote code-execution (RCE) problem in the TCP/IP stack. That issue (CVE-2020-16898) allows attackers to execute arbitrary code with elevated privileges using a specially crafted ICMPv6 router advertisement.
Microsoft gives this bug its highest exploitability rating, meaning attacks in the wild are extremely likely – and as such, it carries a severity rating of 9.8 out of 10 on the CvSS vulnerability scale. True to the season, it could be an administrator’s horror show.
“If you’re running an IPv6 network, you know that filtering router advertisements is not a practical workaround,” said Dustin Childs, researcher at Trend Micro’s Zero-Day Initiative (ZDI), in his Patch Tuesday analysis. “You should definitely test and deploy this patch as soon as possible.”
Bharat Jogi, senior manager of vulnerability and threat research at Qualys, said that an exploit for the bug could be self-propagating, worming through infrastructure without user interaction.
“An attacker can exploit this vulnerability without any authentication, and it is potentially wormable,” he said. “We expect a proof-of-concept (PoC) for this exploit would be dropped soon, and we highly encourage everyone to fix this vulnerability as soon as possible.”
Threatpost has reached out for more technical details on the wormable aspect of the bug.
#cloud security #vulnerabilities #web security #critical #cve-2020-16898 #microsoft #october 2020 #patch tuesday #patches #publicly disclosed #remote code execution #router advertisements #security bug #security vulnerabilities #tcp/ip #unpatched bugs #wormable
At JCC Wolk Children Center, all children are getting the best basic education learning with fun activities. We have qualified staff members . Our Professionals take care of all the children very well. For more detail click: ChildCare Pittsford NY
#childcare pittsford ny #childcare rochester ny #childcare brighton ny
Adobe issued out-of-band patches for critical flaws tied to 12 CVEs in Photoshop and other applications.
Adobe released a slew of patches for critical vulnerabilities Tuesday that were part of an out-of-band security update. Several of the critical flaws are tied to Adobe’s popular Photoshop photo-editing software and allow adversaries to execute arbitrary code on targeted Windows devices.
Overall, Adobe issued patches for flaws tied to 12 CVEs across Bridge, Prelude and Photoshop applications. The unscheduled updates come a week after Adobe issued its official July 2020 security updates, including critical code-execution bugs.
Adobe said it was not aware of any exploits in the wild for any of the bugs patched in the update. The company did not offer technical details regarding the Photoshop CVEs.
Threatpost reached out to Mat Powell, researcher with Trend Micro’s Zero Day Initiative, who is credited for finding each of the critical flaws. Powell has not responded to that request. Threatpost hopes to update this report with additional commentary from the researcher.
All of the reported critical flaws stem from out-of-bounds read and write vulnerabilities, which occur when the software reads data past the end of – or before the beginning of – the intended buffer, potentially resulting in corruption of sensitive information, a crash, or code execution among other things.
Adobe Photoshop features two out-of-bounds read flaws (CVE-2020-9683, CVE-2020-9686) and three out-of-bound write (CVE-2020-9684, CVE-2020-9685, CVE-2020-9687) issues. All of these could “lead to arbitrary code execution in the context of the current user,” according to Adobe.
The Photoshop vulnerabilities affect Photoshop CC 2019 versions 20.0.9 and earlier and Photoshop 2020 21.2 and earlier (for Windows). Users can update to versions 20.0.10 and 21.2.1, respectively.
Adobe has previously addressed various serious flaws in its Photoshop photo editing app, including dozens of arbitrary code-execution issues in March – which addressed 22 CVEs in Photoshop overall, 16 of which were critical.
Also fixed were critical flaws tied to three CVEs in Bridge, Adobe’s asset management app. These include an out-of-bounds read flaw (CVE-2020-9675) and out-of-bounds write issues (CVE-2020-9674, CVE-2020-9676) that could enable code execution. Adobe Bridge versions 10.0.3 and earlier are affected; users can update to version 10.1.1 for a fix.
Adobe also issued patches for critical vulnerabilities in its Prelude app, which works with its Premiere Pro video editing app to allow users to tag media with metadata for searching, post-production workflows, and footage lifecycle management.
Prelude contains out-of-bounds read (CVE-2020-9677, CVE-2020-9679) and out-of-bounds write (CVE-2020-9678, CVE-2020-9680) glitches that can allow code execution. Adobe Preluade versions 9.0 and earlier for Windows are affected; users can update to version 9.0.1.
Powell was also credited with reporting the additional critical flaws.
Adobe also issued patches for an “important” severity flaw in Adobe Reader Mobile for Android, which allows users to view and edit PDFs from their smartphones. The application has a directory traversal issue (CVE-2020-9663) enabling information disclosure in the context of the current user. Adobe Reader Mobile for Android, versions 20.0.1 and earlier are impacted. Users can update to version 20.3 (for all Android versions).
#vulnerabilities #web security #adobe #adobe bridge #adobe fix #adobe prelude #critical flaw #out of band patch #patch #photoshop #security update #unscheduled update