Pierluigi Paganini November 11, 2020

Microsoft Patch Tuesday updates for November 2020 address 112 flaws, including a Windows bug that was chained with Chrome issues in attacks.

Microsoft Patch Tuesday updates for November 2020 address 112 vulnerabilities in multiple products, including Microsoft Windows, Office and Office Services and Web Apps, Internet Explorer (IE), Edge (EdgeHTML-based and Chromium-based), ChakraCore, Exchange Server, Microsoft Dynamics, Azure Sphere, Windows Defender, Microsoft Teams, and Visual Studio. The IT giant also addressed the CVE-2020-17087 Windows flaw that was chained with the CVE-2020-15999 Chrome bug in attacks in the wild.

At the end of October, security researchers from Google have disclosed the zero-day vulnerability in the Windows operating system, tracked as CVE-2020-17087, that is currently under active exploitation.

The CVE-2020-17087 flaw is a Windows Kernel local elevation of privilege vulnerability.

Ben Hawkes, team lead for Google Project Zero team, revealed on Twitter that the vulnerability was chained with another Chrome zero-day flaw, tracked as CVE-2020-15999, that Google recently disclosed.

 The Director of Google’s Threat Analysis Group, Shane Huntley (@ShaneHuntley), confirmed that the vulnerability was exploited in targeted attacks that are not related to the forthcoming US election.

On October 20, 2020, Google has released Chrome version 86.0.4240.111 that addresses several issues, including the actively exploited CVE-2020-15999 zero-day flaw. The CVE-2020-15999 flaw is a memory corruption bug that resides in the FreeType font rendering library, which is included in standard Chrome releases.

The flaw can be exploited by attackers for arbitrary code execution by getting the targeted user to access a website hosting a specially crafted font file.

Chaining the Windows and Chrome vulnerabilities, the attackers can escape the Chrome sandbox and execute malicious code on the targeted system.

Microsoft Patch Tuesday updates for November 2020 addressed a total of 17 critical vulnerabilities, most of them are RCE. Some of the critical vulnerabilities fixed by Microsoft affect extensions available in the Microsoft Store.

“Of these 112 patches, 17 are rated as Critical, 93 are rated as Important, and two are rated Low in severity. A total of six of these bugs came through the ZDI program. Only one bug is listed as publicly known and under active attack.” states the analysis published by ZDI.

This week, Microsoft announced to have changed the format used for its security advisories. The new advisories provide information through the Common Vulnerability Scoring System (CVSS) and don’t include the description of the flaw and how it can be exploited.

The complete list of flaws addressed by Microsoft is available on the official Security Update Guide portal.

Pierluigi Paganini

(SecurityAffairs – hacking, Chrome zero-day)

[adrotate banner=”5″]

[adrotate banner=”13″]