Patch Tuesday: Microsoft addresses Windows zero-day vulnerability and 111 others
Patches include one for a zero-day flaw disclosed by Google’s researchers last month
Microsoft on Tuesday released its monthly roll-up of security patches, addressing a total of 112 vulnerabilities across a suite of products/platforms.
Of the 112 security flaws fixed this month, 17 are listed as ‘critical’, 93 are ‘important’, while two are ‘low’ in severity. This month’s security up
date also includes a patch for a Windows zero-day bug which was disclosed by Google’s researchers last month, with the claim that it was actively being exploited by cyber actors. The bug, tracked as CVE-2020-17087, affects Windows Server, Windows 10/RT/8.1/7 and arises due to overflow issue in a Windows component that is used for cryptographic functions. Google researchers said that hackers were exploiting the bug in combination with a Chrome bug (CVE-2020-15999) to target Windows systems. Attackers exploited the Chrome vulnerability to execute malicious code inside Chrome and used CVE-2020-17087 to escape the Chrome security sandbox and to elevate the code’s privileges to attack the OS. Google fixed CVE-2020-15999 in Chrome’s latest version (86.0.4240.111) which was released last month. Microsoft rated CVE-2020-17087 as important in severity, likely because a cyber actor would need to have physical access to a vulnerable system in order to exploit the bug. “Chaining vulnerabilities is an important tactic for threat actors,” said Satnam Narang, staff research engineer at Tenable. “While both CVE-2020-15999 and CVE-2020-17087 were exploited in the wild as zero-days, the Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory with the FBI last month that highlighted threat actors chaining unpatched vulnerabilities to gain initial access into a target environment and elevate privileges. Even though Google and Microsoft have now patched these flaws, it is imperative for organisations to ensure they’ve applied these patches before threat actors begin to leverage them more broadly.” Another newsworthy fix from Microsoft this month is for the CVE-2020-17051, a remote code execution (RCE) bug existing in Windows' Network File System (NFS). This bug is specifically worrying because Windows NFS lets users to access files across a network and treat them as if they exist in a local file directory. Experts fear that attacker can take advantage of this functionality to gain access to critical systems for a long time. Another notable patch is for CVE-2020-17084, a flaw impacting Exchange Server that could lead to remote code execution. CVE-2020-17040 is a bypass vulnerability in Windows Hyper-V that could enable an attacker to carry out an attack without authentication or interaction with a user. Other Microsoft products that have received security patches this month include Microsoft Windows, Microsoft Windows Codecs Library, Office and Office Services and Web Apps, Edge (EdgeHTML-based and Chromium-based), Internet Explorer (IE), ChakraCore, Microsoft Dynamics, Windows Defender, Microsoft Teams, Visual Studio, Azure SDK and Azure DevOps.
Author: devz123@gmail.com(Dev Kundaliya)
Date: 2020-11-11
computing.co.uk
Fraudsters are targeting Christmas shoppers (2020-11-16) | More people are at risk of being cheated this year according to UK Finance UK Finance the association representing trade and finance institutions in the UK is warning consumers of a spike in online scams targeting people looking for attractive deals on Christmas gifts More people are at risk of being cheated this year says the trade body as non-essential shops remain closed until early December an.. |
DeepMind open-sources Lab2D to support creation of 2D environments for AI and machine learning (2020-11-17) | The system aims to help researchers understand the influence of environments in multi-agent reinforcement learning Alphabet subsidiary DeepMind announced on Monday that it has open-sourced Lab2D a scalable environment simulator for artificial intelligence AI research that facilitates researcher-led experimentation with environment design DeepMind describes Lab2D as a system designed to support cre.. |
Trump fires CISA head Chris Krebs for rejecting claims about voter fraud (2020-11-18) | The move was widely expected following a CISA announcement last week denouncing Trumps claims about electoral fraud Donald Trump has fired the director of the Cybersecurity and Infrastructure Security Agency CISA Chris Krebs who had previously publicly contradicted the outgoing Presidents claims of widespread voter fraud during 2020 election Trump said on Twitter that he was terminating Krebs effe.. |
Passion is the secret to founding a business (2020-12-02) | Panelists talked about passion families and compensation Founding your own company is an exciting exhilarating but also frightening prospect There is no safety net: you do or you die Its not enough to work in an area youre just interested in: there has to be real passion That was the agreement of panelists in the Lets get started panel on day two of the Women in Tech Festival Global There are goin.. |
Credential-related attacks lead to the biggest financial losses, says report (2020-11-10) | Extreme loss events could cost victims 100 times their annual revenue or more says the Cyentia Institute Cyber attacks resulting from stolen credentials are more common and more financially damaging for organisations than any other type of cyber incident according to new research The Cyentia Institutes IRIS Xtreme report pdf reviewed 103 large cyber-loss events from the last five years and found t.. |
The benefits of adding cloud telephony to Microsoft Teams (2020-11-19) | Two-thirds of organisations expect remote work to continue in the long-term - how can you prepare? Remote working has been on the rise for some time but the COVID-19 pandemic has accelerated this trend A recent survey conducted by 451 Research found that 67% of organisations expect remote working policies to remain in place either permanently or for the long-term Many large international companies.. |
Sprawl and silos: how Fivetran is using automation to extract value from data (2020-10-26) | Integrating data into workflows is a prevalent challenge - is automation the way to solve it? Integration is one of the most prevalent challenges facing organisation today: having data spread across multiple apps environments and even cloud providers makes it difficult to extract value Plenty of companies are attempting to solve this problem but most are held back by the need to manually add each .. |
AI and Machine Learning Awards - and the winners are… (2020-10-29) | Artificial intelligence might not be a brand new concept but its use in enterprise IT is certainly growing at start-up rates Every vendor seemingly has an AI-based tool or is using machine learning to solve common problems The challenge is how to sort fact from fiction - or to put it more charitably find the absolute best of the best We launched the AI Machine Learning Awards last year to solve ex.. |
Berners-Lee’s Inrupt releases first commercial offering, the privacy-preserving Enterprise Solid Server (2020-11-09) | ESS offers a route to inclusive capitalism says CEO John Bruce Inrupt the company set up two years ago by Tim Berners-Lee and entrepreneur John Bruce to further the redecentralisation of the web released its first commercial product today an enterprise open source version of Solid Server ESS Solid is a set of open protocols that allow individuals to control their own data be that browsing habits m.. |
Lockdown II: With morale flagging and cabin fever setting in, can our IT heroes rise to the occasion one more time? (2020-11-19) | Lockdown II: With morale flagging and cabin fever setting in can our IT heroes rise to the occasion one more time? In the world of movies follow-ups rarely match the quality of original After all if you are going to rehash a film its likely to have already caught the public imagination in one way or another and that magic can be hard to reproduce So what tends to happen is the sequel has more gore.. |