Microsoft Is Giving You One Hundred Reasons to Apply October’s Patches
- Microsoft has released another monthly batch of fixes, squashing at least 14 critical vulnerabilities.
- One of the fixed flaws has a now-published proof of concept code, so applying the patch is non-negotiable.
October’s “Patch Tuesday” has landed, and it’s fixing more than 100 vulnerabilities across an array of Microsoft products. 14 of the fixed flaws are put in the “critical” category, while most of the rest are considered “important”. Thus, users of Microsoft Windows and the tech giant's various products are urged to apply the patch as soon as possible.
Starting with the nastiest bug that Microsoft squashed this month, the CVE-2020-16898 carries a CVSS score of 9.8, and it can be abused for the planting of malware. McAfee has even presented their proof of concept for the particular flaw which they dub as “bad neighbor.” The researchers combined it with CVE-2020-16899 (authentication bypass) for a more potent attack. Since the exploit is based on the use of specially crafted IPv6 packets, even heuristic detection systems can catch malicious attempts, but patching is a sure way to stay safe.
Another example of fixed critical remote code execution vulnerabilities is the CVE-2020-16951 and CVE-2020-16952, which exist in SharePoint. Then there’s the CVE-2020-16891, a Hyper-V flaw that can potentially create arbitrary code execution conditions, the CVE-2020-16923, which is an RCE on Microsoft Graphics components, CVE-2020-16947, which is an RCE on Outlook, CVE-2020-16967, which is an RCE on the Camera Codec pack, and the CVE-2020-16966 RCE on the Open Enclave SDK.
Related: Microsoft Severely Disrupted the Trickbot Botnet Operations
If you’re looking for memory corruption flaws, CVE-2020-16915 is probably the most critical, located in the Media Foundation component. A successful exploit of this flaw may open the door to the arbitrary installation of programs, viewing, changing, or deleting data, and creating new user accounts that carry full rights. To exploit this bug, a hacker could either use a specially crafted document or trick the target into visiting a malicious webpage.
As always, applying major system updates like “Tuesday Patches” on Windows 10, for example, may introduce new bugs or system instability. For this reason, you are always advised to take a backup of your important files and settings before you proceed. Remember, Windows has in-built system restoration tools in the “Backup” section of the System Settings, allowing users to save complete system images and restore them in the case that things don’t go as planned.