Microsoft released today its monthly roll-up of security patches known as Patch Tuesday. This month, the Redmond-based company fixed 112 security bugs across a wide range of products, from Microsoft Edge to the Windows WalletService .
This month’s patches also include a fix for a Windows zero-day vulnerability that was exploited in the wild.
Tracked as CVE-2020-17087, the zero-day was disclosed on October 30 by the Google Project Zero and TAG security teams. Google said the vulnerability was being exploited together with a Chrome zero-day to target Windows 7 and Windows 10 users.
Attackers would use the Chrome zero-day to run malicious code inside Chrome and then use the Windows zero-day to escape the Chrome security sandbox and elevate the code’s privileges to attack the underlying OS.
Details about the attack were not published beyond this simple description.
Google discovered the zero-day around mid-October and gave Microsoft seven days to release a patch. Since releasing a security patch for any Microsoft product —and especially the bulky Windows OS— takes time to test and fine-tune, the patch was not ready during the original seven-day disclosure timeline. But it is available starting today.
According to Microsoft’s security advisory for CVE-2020-17087, the zero-day resides in the Windows kernel and impacts all currently supported versions of the Windows OS. This includes all versions after Windows 7, and all Windows Server distributions.
But besides the Windows zero-day, there are 111 other vulnerabilities that need to be patched as well, including 24 bugs that can allow remote code execution (RCE) attacks in apps such as Excel, Microsoft Sharepoint, Microsoft Exchange Server, the Windows Network File System, the Windows GDI+ component, the Windows printing spooler service, and even in Microsoft Teams.
While rushing to install patches is a safe approach for most users, system administrators of large networks are advised to test the patches before a broad rollout to avoid any bugs or changes that break internal systems.
Below are additional details about today’s Microsoft Patch Tuesday and security updates released by other tech companies:
- Microsoft’s official Security Update Guide portal lists all security updates in a filterable table.
- ZDNet has published this file listing all this month’s security advisories on one single page.
- Adobe’s security updates are detailed here.
- SAP security updates are available here.
- Intel security updates are available here.
- VMWare security updates are available here.
- Chrome 86 security updates are detailed here.
- Android security updates are available here.
| Tag | CVE ID | CVE Title |
|---|---|---|
| Azure DevOps | CVE-2020-1325 | Azure DevOps Server and Team Foundation Services Spoofing Vulnerability |
| Azure Sphere | CVE-2020-16985 | Azure Sphere Information Disclosure Vulnerability |
| Azure Sphere | CVE-2020-16986 | Azure Sphere Denial of Service Vulnerability |
| Azure Sphere | CVE-2020-16987 | Azure Sphere Unsigned Code Execution Vulnerability |
| Azure Sphere | CVE-2020-16984 | Azure Sphere Unsigned Code Execution Vulnerability |
| Azure Sphere | CVE-2020-16981 | Azure Sphere Elevation of Privilege Vulnerability |
| Azure Sphere | CVE-2020-16982 | Azure Sphere Unsigned Code Execution Vulnerability |
| Azure Sphere | CVE-2020-16983 | Azure Sphere Tampering Vulnerability |
| Azure Sphere | CVE-2020-16988 | Azure Sphere Elevation of Privilege Vulnerability |
| Azure Sphere | CVE-2020-16993 | Azure Sphere Elevation of Privilege Vulnerability |
| Azure Sphere | CVE-2020-16994 | Azure Sphere Unsigned Code Execution Vulnerability |
| Azure Sphere | CVE-2020-16970 | Azure Sphere Unsigned Code Execution Vulnerability |
| Azure Sphere | CVE-2020-16992 | Azure Sphere Elevation of Privilege Vulnerability |
| Azure Sphere | CVE-2020-16989 | Azure Sphere Elevation of Privilege Vulnerability |
| Azure Sphere | CVE-2020-16990 | Azure Sphere Information Disclosure Vulnerability |
| Azure Sphere | CVE-2020-16991 | Azure Sphere Unsigned Code Execution Vulnerability |
| Common Log File System Driver | CVE-2020-17088 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
| Microsoft Browsers | CVE-2020-17058 | Microsoft Browser Memory Corruption Vulnerability |
| Microsoft Dynamics | CVE-2020-17005 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability |
| Microsoft Dynamics | CVE-2020-17018 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability |
| Microsoft Dynamics | CVE-2020-17021 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability |
| Microsoft Dynamics | CVE-2020-17006 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability |
| Microsoft Exchange Server | CVE-2020-17083 | Microsoft Exchange Server Remote Code Execution Vulnerability |
| Microsoft Exchange Server | CVE-2020-17085 | Microsoft Exchange Server Denial of Service Vulnerability |
| Microsoft Exchange Server | CVE-2020-17084 | Microsoft Exchange Server Remote Code Execution Vulnerability |
| Microsoft Graphics Component | CVE-2020-16998 | DirectX Elevation of Privilege Vulnerability |
| Microsoft Graphics Component | CVE-2020-17029 | Windows Canonical Display Driver Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2020-17004 | Windows Graphics Component Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2020-17038 | Win32k Elevation of Privilege Vulnerability |
| Microsoft Graphics Component | CVE-2020-17068 | Windows GDI+ Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2020-17065 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2020-17064 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2020-17066 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2020-17019 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2020-17067 | Microsoft Excel Security Feature Bypass Vulnerability |
| Microsoft Office | CVE-2020-17062 | Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2020-17063 | Microsoft Office Online Spoofing Vulnerability |
| Microsoft Office | CVE-2020-17020 | Microsoft Word Security Feature Bypass Vulnerability |
| Microsoft Office SharePoint | CVE-2020-17016 | Microsoft SharePoint Spoofing Vulnerability |
| Microsoft Office SharePoint | CVE-2020-16979 | Microsoft SharePoint Information Disclosure Vulnerability |
| Microsoft Office SharePoint | CVE-2020-17015 | Microsoft SharePoint Spoofing Vulnerability |
| Microsoft Office SharePoint | CVE-2020-17017 | Microsoft SharePoint Information Disclosure Vulnerability |
| Microsoft Office SharePoint | CVE-2020-17061 | Microsoft SharePoint Remote Code Execution Vulnerability |
| Microsoft Office SharePoint | CVE-2020-17060 | Microsoft SharePoint Spoofing Vulnerability |
| Microsoft Scripting Engine | CVE-2020-17048 | Chakra Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2020-17053 | Internet Explorer Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2020-17052 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2020-17054 | Chakra Scripting Engine Memory Corruption Vulnerability |
| Microsoft Teams | CVE-2020-17091 | Microsoft Teams Remote Code Execution Vulnerability |
| Microsoft Windows | CVE-2020-17032 | Windows Remote Access Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-17033 | Windows Remote Access Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-17026 | Windows Remote Access Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-17031 | Windows Remote Access Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-17027 | Windows Remote Access Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-17030 | Windows MSCTF Server Information Disclosure Vulnerability |
| Microsoft Windows | CVE-2020-17028 | Windows Remote Access Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-17044 | Windows Remote Access Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-17045 | Windows KernelStream Information Disclosure Vulnerability |
| Microsoft Windows | CVE-2020-17046 | Windows Error Reporting Denial of Service Vulnerability |
| Microsoft Windows | CVE-2020-17043 | Windows Remote Access Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-17042 | Windows Print Spooler Remote Code Execution Vulnerability |
| Microsoft Windows | CVE-2020-17041 | Windows Print Configuration Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-17034 | Windows Remote Access Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-17049 | Kerberos Security Feature Bypass Vulnerability |
| Microsoft Windows | CVE-2020-17051 | Windows Network File System Remote Code Execution Vulnerability |
| Microsoft Windows | CVE-2020-17040 | Windows Hyper-V Security Feature Bypass Vulnerability |
| Microsoft Windows | CVE-2020-17047 | Windows Network File System Denial of Service Vulnerability |
| Microsoft Windows | CVE-2020-17036 | Windows Function Discovery SSDP Provider Information Disclosure Vulnerability |
| Microsoft Windows | CVE-2020-17000 | Remote Desktop Protocol Client Information Disclosure Vulnerability |
| Microsoft Windows | CVE-2020-1599 | Windows Spoofing Vulnerability |
| Microsoft Windows | CVE-2020-16997 | Remote Desktop Protocol Server Information Disclosure Vulnerability |
| Microsoft Windows | CVE-2020-17001 | Windows Print Spooler Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-17057 | Windows Win32k Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-17056 | Windows Network File System Information Disclosure Vulnerability |
| Microsoft Windows | CVE-2020-17055 | Windows Remote Access Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-17010 | Win32k Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-17007 | Windows Error Reporting Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-17014 | Windows Print Spooler Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-17025 | Windows Remote Access Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-17024 | Windows Client Side Rendering Print Provider Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-17013 | Win32k Information Disclosure Vulnerability |
| Microsoft Windows | CVE-2020-17011 | Windows Port Class Library Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2020-17012 | Windows Bind Filter Driver Elevation of Privilege Vulnerability |
| Microsoft Windows Codecs Library | CVE-2020-17106 | HEVC Video Extensions Remote Code Execution Vulnerability |
| Microsoft Windows Codecs Library | CVE-2020-17101 | HEIF Image Extensions Remote Code Execution Vulnerability |
| Microsoft Windows Codecs Library | CVE-2020-17105 | AV1 Video Extension Remote Code Execution Vulnerability |
| Microsoft Windows Codecs Library | CVE-2020-17102 | WebP Image Extensions Information Disclosure Vulnerability |
| Microsoft Windows Codecs Library | CVE-2020-17082 | Raw Image Extension Remote Code Execution Vulnerability |
| Microsoft Windows Codecs Library | CVE-2020-17086 | Raw Image Extension Remote Code Execution Vulnerability |
| Microsoft Windows Codecs Library | CVE-2020-17081 | Microsoft Raw Image Extension Information Disclosure Vulnerability |
| Microsoft Windows Codecs Library | CVE-2020-17079 | Raw Image Extension Remote Code Execution Vulnerability |
| Microsoft Windows Codecs Library | CVE-2020-17078 | Raw Image Extension Remote Code Execution Vulnerability |
| Microsoft Windows Codecs Library | CVE-2020-17107 | HEVC Video Extensions Remote Code Execution Vulnerability |
| Microsoft Windows Codecs Library | CVE-2020-17110 | HEVC Video Extensions Remote Code Execution Vulnerability |
| Microsoft Windows Codecs Library | CVE-2020-17113 | Windows Camera Codec Information Disclosure Vulnerability |
| Microsoft Windows Codecs Library | CVE-2020-17108 | HEVC Video Extensions Remote Code Execution Vulnerability |
| Microsoft Windows Codecs Library | CVE-2020-17109 | HEVC Video Extensions Remote Code Execution Vulnerability |
| Visual Studio | CVE-2020-17104 | Visual Studio Code JSHint Extension Remote Code Execution Vulnerability |
| Visual Studio | CVE-2020-17100 | Visual Studio Tampering Vulnerability |
| Windows Defender | CVE-2020-17090 | Microsoft Defender for Endpoint Security Feature Bypass Vulnerability |
| Windows Kernel | CVE-2020-17035 | Windows Kernel Elevation of Privilege Vulnerability |
| Windows Kernel | CVE-2020-17087 | Windows Kernel Local Elevation of Privilege Vulnerability |
| Windows NDIS | CVE-2020-17069 | Windows NDIS Information Disclosure Vulnerability |
| Windows Update Stack | CVE-2020-17074 | Windows Update Orchestrator Service Elevation of Privilege Vulnerability |
| Windows Update Stack | CVE-2020-17073 | Windows Update Orchestrator Service Elevation of Privilege Vulnerability |
| Windows Update Stack | CVE-2020-17071 | Windows Delivery Optimization Information Disclosure Vulnerability |
| Windows Update Stack | CVE-2020-17075 | Windows USO Core Worker Elevation of Privilege Vulnerability |
| Windows Update Stack | CVE-2020-17070 | Windows Update Medic Service Elevation of Privilege Vulnerability |
| Windows Update Stack | CVE-2020-17077 | Windows Update Stack Elevation of Privilege Vulnerability |
| Windows Update Stack | CVE-2020-17076 | Windows Update Orchestrator Service Elevation of Privilege Vulnerability |
| Windows WalletService | CVE-2020-16999 | Windows WalletService Information Disclosure Vulnerability |
| Windows WalletService | CVE-2020-17037 | Windows WalletService Elevation of Privilege Vulnerability |
