November Patch Tuesday 2020 Fixes 112 Vulnerabilities

November Patch Tuesday 2020 Fixes 112 Vulnerabilities

November Patch Tuesday Arrives with 112 Fixes

There were 112 vulnerabilities remediated including 17 Critical, 93 Important and 2 marked Low. Microsoft fixed 25 more vulnerabilities this month than October Patch Tuesday and provided a weaponized threat to urgently resolve.

Security updates are also released for Microsoft Office, Internet Explorer, Microsoft Edge, Microsoft Exchange Server, Microsoft Dynamics, Microsoft Windows Codecs Library, Azure Sphere, Windows Defender, Microsoft Teams, Azure SDK, Azure DevOps and Visual Studio.

There have also been a lot of Windows 7 and Windows Server 2008 (including R2) vulnerabilities for anyone who has subscribed to extended support – Windows 7 and Windows Server 2008 (including R2) both has 20 vulnerabilities: 2 Critical and 18 Important.

Robert Brown, Director of Services for Syxsense said, “Along with Microsoft, Adobe fixed 14 bugs last week for Acrobat and Reader and fixed 3 additional bugs for Reader (Android) and Adobe Connect. These issues have been given a Priority 2 which means Adobe is recommending deployment of patches within 30 days.”

Top November Patches and Vulnerabilities

CVE-2020-17087: Windows Kernel Local Elevation of Privilege Vulnerability – this vulnerability is both Weaponized and Public Aware, combined with the CVSS Score of 7.8 and no countermeasure, this should be remediated immediately.

  • Buffer overflow vulnerability in the Windows Kernel, initially made Public Aware when it was used to expose Google Chrome Zero Day in October. This is a very serious issue as the overflow allowed a hacker to break out of the sandbox.
  • Affects Windows 7,8,10 &Windows Server 2008, 2012, 2016
  • Workaround: None
  • Reboot: Maybe

CVE-2020-17051: Windows Network File System Remote Code Execution Vulnerability – has a CVSS score of 9.8 making this one of the top 3 highest vulnerabilities to prioritize this month, no countermeasure is available.

  • This vulnerability will impact companies who are Windows and Linux for file sharing. If exploited, it could cause a Blue / Black Screen failure with the NFS driver or allow code execution.
  • Exploitation: More Likely where NFS is used
  • Affects Windows Server 2008, 2012, 2016, 2019 Core
  • Workaround: None
  • Reboot: Maybe

CVE-2020-17042: Windows Error Reporting Elevation of Privilege Vulnerability – has a CVSS score of 8.8 with no countermeasure and does not require complex access or user privilege.

  • Severity: Critical
  • Affects Windows 7,8,10 & Windows Server 2008, 2012, 2016
  • Workaround: None
  • Reboot: Maybe

Syxsense Recommendations

Based on the Vendor Severity and CVSS Score, we have made a few recommendations below which you should prioritize this month; please pay close attention to any of these which are Publicly Aware and / or Weaponized.

 

CVE Reference Description Vendor Severity CVSS Score Weaponised Publicly Aware Countermeasure Syxsense Recommended
CVE-2020-17087 Windows Kernel Local Elevation of Privilege Vulnerability Important 7.8 Yes Yes No Yes
CVE-2020-17051 Windows Network File System Remote Code Execution Vulnerability Critical 9.8 No No No Yes
CVE-2020-17042 Windows Print Spooler Remote Code Execution Vulnerability Critical 8.8 No No No Yes
CVE-2020-17061 Microsoft SharePoint Remote Code Execution Vulnerability Important 8.8 No No No Yes
CVE-2020-17084 Microsoft Exchange Server Remote Code Execution Vulnerability Important 8.5 No No No Yes
CVE-2020-16970 Azure Sphere Unsigned Code Execution Vulnerability Important 8.1 No No No Yes
CVE-2020-17016 Microsoft SharePoint Spoofing Vulnerability Important 8 No No No Yes
CVE-2020-17105 AV1 Video Extension Remote Code Execution Vulnerability Critical 7.8 No No No Yes
CVE-2020-17101 HEIF Image Extensions Remote Code Execution Vulnerability Critical 7.8 No No No Yes
CVE-2020-17106 HEVC Video Extensions Remote Code Execution Vulnerability Critical 7.8 No No No Yes
CVE-2020-17107 HEVC Video Extensions Remote Code Execution Vulnerability Critical 7.8 No No No Yes
CVE-2020-17108 HEVC Video Extensions Remote Code Execution Vulnerability Critical 7.8 No No No Yes
CVE-2020-17109 HEVC Video Extensions Remote Code Execution Vulnerability Critical 7.8 No No No Yes
CVE-2020-17110 HEVC Video Extensions Remote Code Execution Vulnerability Critical 7.8 No No No Yes
CVE-2020-17078 Raw Image Extension Remote Code Execution Vulnerability Critical 7.8 No No No Yes
CVE-2020-17079 Raw Image Extension Remote Code Execution Vulnerability Critical 7.8 No No No Yes
CVE-2020-17082 Raw Image Extension Remote Code Execution Vulnerability Critical 7.8 No No No Yes
CVE-2020-17053 Internet Explorer Memory Corruption Vulnerability Critical 7.5 No No No Yes
CVE-2020-17052 Scripting Engine Memory Corruption Vulnerability Critical 7.5 No No No Yes
CVE-2020-17058 Microsoft Browser Memory Corruption Vulnerability Critical 7.5 No No No Yes
CVE-2020-16988 Azure Sphere Elevation of Privilege Vulnerability Critical 6.9 No No No Yes
CVE-2020-17048 Chakra Scripting Engine Memory Corruption Vulnerability Critical 4.8 No No No Yes
CVE-2020-17010 Win32k Elevation of Privilege Vulnerability Important 7.8 No No No Yes
CVE-2020-17038 Win32k Elevation of Privilege Vulnerability Important 7.8 No No No Yes
CVE-2020-17088 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No No Yes
CVE-2020-17019 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2020-17064 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2020-17065 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2020-17066 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2020-17067 Microsoft Excel Security Feature Bypass Vulnerability Important 7.8 No No No
CVE-2020-17062 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2020-17086 Microsoft Raw Image Extension Information Disclosure Vulnerability Important 7.8 No No No
CVE-2020-17091 Microsoft Teams Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2020-17104 Visual Studio Code JS Hint Extension Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2020-17012 Windows Bind Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-17024 Windows Client Side Rendering Print Provider Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-17068 Windows GDI+ Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2020-17035 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-17011 Windows Port Class Library Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-17041 Windows Print Configuration Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-17001 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-17014 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-17025 Windows Remote Access Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-17026 Windows Remote Access Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-17027 Windows Remote Access Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-17028 Windows Remote Access Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-17031 Windows Remote Access Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-17032 Windows Remote Access Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-17033 Windows Remote Access Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-17034 Windows Remote Access Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-17043 Windows Remote Access Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-17044 Windows Remote Access Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-17055 Windows Remote Access Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-17070 Windows Update Medic Service Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-17073 Windows Update Orchestrator Service Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-17074 Windows Update Orchestrator Service Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-17076 Windows Update Orchestrator Service Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-17077 Windows Update Stack Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-17075 Windows USO Core Worker Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-17037 Windows Wallet Service Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2020-16997 Remote Desktop Protocol Server Information Disclosure Vulnerability Important 7.7 No No No
CVE-2020-16992 Azure Sphere Elevation of Privilege Vulnerability Important 7.5 No No No
CVE-2020-17047 Windows Network File System Denial of Service Vulnerability Important 7.5 No No No
CVE-2020-16984 Azure Sphere Unsigned Code Execution Vulnerability Important 7.3 No No No
CVE-2020-16987 Azure Sphere Unsigned Code Execution Vulnerability Important 7.3 No No No
CVE-2020-16991 Azure Sphere Unsigned Code Execution Vulnerability Important 7.3 No No No
CVE-2020-16994 Azure Sphere Unsigned Code Execution Vulnerability Important 7.3 No No No
CVE-2020-17057 Windows Win32k Elevation of Privilege Vulnerability Important 7 No No No
CVE-2020-16998 DirectX Elevation of Privilege Vulnerability Important 7 No No No
CVE-2020-17007 Windows Error Reporting Elevation of Privilege Vulnerability Important 7 No No No
CVE-2020-17063 Microsoft Office Online Spoofing Vulnerability Important 6.8 No No No
CVE-2020-17049 Kerberos Security Feature Bypass Vulnerability Important 6.6 No No No
CVE-2020-17040 Windows Hyper-V Security Feature Bypass Vulnerability Important 6.5 No No No
CVE-2020-16986 Azure Sphere Denial of Service Vulnerability Important 6.2 No No No
CVE-2020-16985 Azure Sphere Information Disclosure Vulnerability Important 6.2 No No No
CVE-2020-16990 Azure Sphere Information Disclosure Vulnerability Important 6.2 No No No
CVE-2020-17085 Microsoft Exchange Server Denial of Service Vulnerability Important 6.2 No No No
CVE-2020-16981 Azure Sphere Elevation of Privilege Vulnerability Important 6.1 No No No
CVE-2020-16982 Azure Sphere Unsigned Code Execution Vulnerability Important 6.1 No No No
CVE-2020-16983 Azure Sphere Tampering Vulnerability Important 5.7 No No No
CVE-2020-17083 Microsoft Exchange Server Remote Code Execution Vulnerability Important 5.5 No No No
CVE-2020-17081 Microsoft Raw Image Extension Information Disclosure Vulnerability Important 5.5 No No No
CVE-2020-17000 Remote Desktop Protocol Client Information Disclosure Vulnerability Important 5.5 No No No
CVE-2020-17100 Visual Studio Tampering Vulnerability Important 5.5 No No No
CVE-2020-17102 Web Image Extensions Information Disclosure Vulnerability Important 5.5 No No No
CVE-2020-17013 Win32k Information Disclosure Vulnerability Important 5.5 No No No
CVE-2020-17113 Windows Camera Codec Information Disclosure Vulnerability Important 5.5 No No No
CVE-2020-17029 Windows Canonical Display Driver Information Disclosure Vulnerability Important 5.5 No No No
CVE-2020-17071 Windows Delivery Optimization Information Disclosure Vulnerability Important 5.5 No No No
CVE-2020-17036 Windows Function Discovery SSDP Provider Information Disclosure Vulnerability Important 5.5 No No No
CVE-2020-17004 Windows Graphics Component Information Disclosure Vulnerability Important 5.5 No No No
CVE-2020-17045 Windows Kernel Stream Information Disclosure Vulnerability Important 5.5 No No No
CVE-2020-17030 Windows MSCTF Server Information Disclosure Vulnerability Important 5.5 No No No
CVE-2020-17069 Windows NDIS Information Disclosure Vulnerability Important 5.5 No No No
CVE-2020-17056 Windows Network File System Information Disclosure Vulnerability Important 5.5 No No No
CVE-2020-1599 Windows Spoofing Vulnerability Important 5.5 No No No
CVE-2020-16999 Windows Wallet Service Information Disclosure Vulnerability Important 5.5 No No No
CVE-2020-1325 Azure DevOps Server and Team Foundation Services Spoofing Vulnerability Important 5.4 No No No
CVE-2020-16989 Azure Sphere Elevation of Privilege Vulnerability Important 5.4 No No No
CVE-2020-16993 Azure Sphere Elevation of Privilege Vulnerability Important 5.4 No No No
CVE-2020-17005 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 5.4 No No No
CVE-2020-17006

Related Posts

April 2024 Patch Tuesday: Microsoft releases 147 fixes this month including 3 Critical Threats.

April 2024 Patch Tuesday: Microsoft releases 147 fixes this month including 3 Critical Threats.

April 9, 2024
Automating Patch and Vulnerability Management for Compliance Success

Automating Patch and Vulnerability Management for Compliance Success

March 21, 2024
March 2024 Patch Tuesday: Microsoft releases 59 fixes this month including 2 Critical Threats and 2 with CVSS Score of 9.0 or Above

March 2024 Patch Tuesday: Microsoft releases 59 fixes this month including 2 Critical Threats and 2 with CVSS Score of 9.0 or Above

March 12, 2024
Third-Party Patching: Don’t Be a Sitting Duck

Third-Party Patching: Don’t Be a Sitting Duck

February 14, 2024