Microsoft has broken its long-running streak of bumper Patch Tuesday updates with a more slimline – in comparison with recent months – October 2020 release, containing fixes for 87 vulnerabilities, 11 of them rated as critical.
As ever, the October update spans a multitude of software products, including Microsoft Windows, Microsoft Office and Microsoft Office Services and Web Apps, Microsoft JET Database Engine, Azure Functions, Open Source Software, Microsoft Exchange Server, Visual Studio, PowerShellGet, Microsoft .NET Framework, Microsoft Dynamics, Adobe Flash Player and Microsoft Windows Codecs Library.
Six of the common vulnerabilities and exposures (CVEs) listed in the October update have already been publicly disclosed, which means malicious actors, unfortunately, have a head start on weaponising them.
“Public disclosure could mean a couple of things,” said Todd Schell, senior product manager at Ivanti. “It could be that a demonstration of exploit was performed at an event or by a researcher. It could also mean proof-of-concept code has been made available. In any case, a public disclosure does mean that threat actors have advanced warning of a vulnerability and this gives them an advantage.
“The mean time to exploit a vulnerability is 22 days, according to a research study from the RAND Institute. If a threat actor gets advanced notice of a vulnerability, they could have a head start of days or even weeks, meaning an exploit may not be very far off. This is one risk indicator that can help companies prioritise what to act on first from a threat perspective.”
Five of the publicly disclosed updates affect Windows 10 and its corresponding server editions – these are CVEs 2020-16898, -16909, -16901, -16885 and -16938. The sixth, CVE-2020-16937, affects .NET Framework.
Of the six publicly disclosed vulnerabilities, threat researchers are assessing CVE-2020-16898 as the most dangerous. Dubbed “Bad Neighbour” by McAfee, it is a wormable remote code execution (RCE) vulnerability in Windows 10 and Windows Server 2019 that exists when the Windows TCP/IP stack improperly handles ICMPv6 router advertisement packets. It can be successfully exploited by sending a specially crafted packet to a remote Windows computer.
Steve Povolny, McAfee’s head of advanced threat research, said the most obvious impact would be to consumers running Windows 10 machines, but that with automated updates, this would be minimised quickly. He added that Shodan.io queries had suggested that the number of publicly exposed Windows Server 2019 machines was probably somewhere in the hundreds, probably because most are either behind firewalls or hosted by cloud service providers, and so do not show up in scans.