October Patch Tuesday: Microsoft Patches Critical, Wormable RCE Bug

There were 11 critical bugs and six that were unpatched but publicly known in this month’s regularly scheduled Microsoft updates.

Microsoft has pushed out fixes for 87 security vulnerabilities in October – 11 of them critical – and one of those potentially wormable.
This month’s Patch Tuesday overall includes fixes for bugs in Microsoft Windows, Office and Office Services and Web Apps, Azure Functions, Open Source Software, Exchange Server, Visual Studio, .NET Framework, Microsoft Dynamics, and the Windows Codecs Library.
A full 75 are listed as important, and just one is listed as moderate in severity. None are listed as being under active attack, but the group does include six issues that were known but unpatched before this month’s regularly scheduled updates.
11 Critical Bugs
One of the most notable critical bugs, according to researchers, is a remote code-execution (RCE) problem in the TCP/IP stack. That issue (CVE-2020-16898) allows attackers to execute arbitrary code with elevated privileges using a specially crafted ICMPv6 router advertisement.
Microsoft gives this bug its highest exploitability rating, meaning attacks in the wild are extremely likely – and as such, it carries a severity rating of 9.8 out of 10 on the CvSS vulnerability scale. True to the season, it could be an administrator’s horror show.
“If you’re running an IPv6 network, you know that filtering router advertisements is not a practical workaround,” said Dustin Childs, researcher at Trend Micro’s Zero-Day Initiative (ZDI), in his Patch Tuesday analysis. “You should definitely test and deploy this patch as soon as possible.”
Click to Register!
Bharat Jogi, senior manager of vulnerability and threat research at Qualys, said that an exploit for the bug could be self-propagating, worming through infrastructure without user interaction.
“An attacker can exploit this vulnerability without any authentication, and it is potentially wormable,” he said. “We expect a proof-of-concept (PoC) for this exploit would be dropped soon, and we highly encourage everyone to fix this vulnerability as soon as possible.”
Threatpost has reached out for more technical details on the wormable aspect of the bug.
Another of the critical flaws is an RCE bug in Microsoft Outlook (CVE-2020-16947). The bug can be triggered by sending a specially crafted email to a target; and because the Preview Pane is an attack vector, victims don’t need to open the mail to be infected (ZDI already has a proof-of-concept for this). It can also be used in a web-based attack by convincing users to visit a malicious URL hosting triggering content.
“The specific flaw exists within the parsing of HTML content in an email. The issue results from the lack of proper validation of the length of user-supplied data before copying it to a fixed-length heap-based buffer,” according to Childs. That bug is rated 8.1 on the CvSS scale.
A critical Windows Hyper-V RCE bug (CVE-2020-16891, 8.8 on the CvSS scale) meanwhile allows an attacker to run a specially crafted program on an affected guest OS to execute arbitrary code on the host OS.
And, other critical problems impact the Windows Camera Codec (CVE-2020-16967 and CVE-2020-16968, both 7.8 on the CvSS scale), both resulting from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer.
“If the current user is logged on with administrative user rights, an attacker could take control of the affected system,” according to Microsoft. “An attacker could then install programs; view, change or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
Two other critical flaws are RCE problems in SharePoint Server (CVE-2020-16951 and CVE-2020-16952, both 8.6 on the CvSS scale).
“In both cases, the attacker would need to upload a specially crafted SharePoint application package to an affected version of SharePoint to get arbitrary code execution,” explained Childs. “This can be accomplished by an unprivileged SharePoint user if the server’s configuration allows it.”
The remaining critical bugs are RCE issues in Media Foundation Library (CVE-2020-16915, rating 7.8); the Base3D rendering engine (CVE-2020-17003, rating 7.8); Graphics components (CVE-2020-16923, rating 7.8); and the Windows Graphics Device Interface (GDI) (CVE-2020-16911, rating 8.8).
Regarding the latter, the vulnerability exists in the way GDI handles objects in memory, according to Allan Liska, senior security architect at Recorded Future.
“Successful exploitation could allow an attacker to gain control of the infected system with the same administrative privileges as the victim,” he said, via email. “This vulnerability could be exploited by either tricking a victim into visiting a compromised website with a specially crafted document or opening a specially crafted document via a phishing attack.”
6 Publicly Known Bugs
There are also a half-dozen vulnerabilities that have been unpatched until this month, but which were publicly known.
“Public disclosure could mean a couple things,” Todd Schell, senior product manager of security at Ivanti told Threatpost. “It could be that a demonstration of exploit was performed at an event or by a researcher. It could also mean that a PoC code has been made available. In any case, a public disclosure does mean that threat actors have advanced warning of a vulnerability and this gives them an advantage.”
The mean time to exploit a vulnerability from the moment of its disclosure is 22 days, according to a research study from the RAND Institute.
When it comes to these publicly known bugs, a Windows Error Reporting (WER) elevation-of-privilege issue (CVE-2020-16909) stands out, according to Childs, given that bugs in the WER component were recently reported as being used in the wild in fileless attacks.
The six publicly disclosed bugs. Source: Trend Micro’s ZDI.
As for the others, two of are EoP bugs, in the Windows Setup component and the Windows Storage VSP Driver; two are information-disclosure problems in the kernel; and one is an information-disclosure issue in .NET Framework.
“These info-disclosure bugs leak the contents of kernel memory but do not expose any personally identifiable information,” Childs said.
The lighter patch load of 87 fixes is a significant departure from the 110+ patches the software giant has released every month since March. Also, some products were notably absent from the fixes list.
“There are a couple of interesting things this month,” Schell told Threatpost. “There are no browser vulnerabilities being resolved. At the time of release, Microsoft did not have any CVEs reported against IE or Edge and no listing of the browsers as affected products this month. Not sure I remember the last time that has happened.”
Patch Tuesday rolls out this month as Microsoft launches the preview of its new update guide.
“It has provided a few nice improvements,” Schell said. “Quick access to more of the risk-focused information can be found in the vulnerabilities view. Columns like ‘Exploited’ and ‘Publicly Disclosed’ allow you to sort and view quickly if there are high-risk items.”
On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.

Write a comment

Share this article:

Cloud Security
Vulnerabilities
Web Security