November 2020 Patch Commentary
Microsoft has released updates resolving a total of 112 unique common vulnerabilities and exposures (CVEs) this month. This puts us back up over the 110 CVE threshold. In October Microsoft did not have an update for the browsers and there was a noticeable dip in the total number of CVEs addressed. The updates this month affect the Windows Operating System, Office and Office 365, Internet Explorer, Edge, Edge Chromium, Microsoft Exchange Server, Microsoft Dynamics, Azure Sphere, Windows Defender, Microsoft Teams, Azure SDK, DevOps, ChakraCore and Visual Studio.
One vulnerability has known exploits occurring in the wild already. CVE-2020-17087 is an Elevation of Privilege vulnerability in the Windows Kernel Cryptography Driver, which allows an attacker to elevate their privileges on the system. The vulnerability affects Extended Security Update (ESU) Win 7 and Server 2008 up to the latest Windows 10 20H2 versions. While the vulnerability is only rated as Important by Microsoft, it is a zero-day vulnerability and has been publicly disclosed. This means attackers have already been detected using it in the wild and information on how to exploit it has been distributed publicly, allowing additional threat actors easy access to reproduce this exploit. CVE-2020-17087 was discovered by Google researchers as being exploited in tandem with a Google Chrome flaw (CVE-2020-15999), for which an update was made available on October 20. The two vulnerabilities should be resolved as soon as possible.
Microsoft released Windows 10 20H2 on October 21. While it is light in new features, it includes a couple of nice additions. This release brings full integration of Edge Chromium, improved task bar, better refresh rates for gaming monitors (Yay!), and a slew of fixes to the previous major branch update 2004. It’s important to note how the servicing timelines for Windows 10 branch updates play out. The H1 release is the larger “New Features” release and the H2 release is meant to provide stabilization. So, 2004 had a larger set of new features introduced, but an 18-month lifecycle from release date. 20H2 focused on stabilizing what 2004 introduced and adding a smaller set of enhancements but is meant to be the stable branch for Enterprise, Education, and IoT Enterprise editions with a 30-month lifecycle.
There are a number of Service Stack Updates this month, but the good news is that as of Windows 10 20H2 they are combining the Servicing Stack Update (SSU) with the monthly cumulative update rollup to simplify the process of updating. You would need to enable your 2004 to turn on the 20H2 update or deploy the 20H2 branch upgrade to earlier Win 10 versions, but once you do it will be smoother sailing from there on.
On the third party updates front, today was a little light, but you will want to be sure to account for some very important recent activity.
Oct 20: Google Chrome 86.0.4240.111 resolves 5 CVEs including CVE-2020-15999 (zero-day)
Nov 2: Google Chrome 86.0.4240.183 resolves 10 CVEs including CVE-2020-16009 (zero-day)
Nov 3: Adobe Acrobat and Reader APSB20-67 resolves 14 CVEs
Nov 9: Mozilla Firefox 82.0.3 and ESR 78.4.1 resolving 1 CVE (discovered in Tianfu Cup 2020 International Cybersecurity Contest)
Nov 10: Google Chrome for Android 86.0.4240.185 includes 6 CVEs including CVE-2020-16010 (zero-day)
Daily Bulletin
