The November 2020 Security Update Review

November 10, 2020 | Dustin Childs

November is here and with it comes the latest security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of security patches for this month.

Adobe Patches for November 2020

Adobe kicked off their November patch cycle a bit early by releasing an update for Acrobat and Reader last Tuesday. The patch fixes 14 CVEs, four of which were reported through the ZDI program. Four of these CVEs are rated as Critical and could lead to code execution if a user opened a specially crafted PDF.

Today, Adobe released patches for Reader for Android and Connect fixing three total CVEs. The update for Reader for Android fixes an info disclosure bug. The two CVEs addressed by the Connect patch cover reflective cross-site scripting (XSS) bugs. None of the CVEs fixed by Adobe this or last week were listed as publicly known or under active attack at the time of release.

Microsoft Patches for November 2020

For November, Microsoft released patches to correct 112 CVEs in Microsoft Windows, Office and Office Services and Web Apps, Internet Explorer (IE), Edge (EdgeHTML-based and Chromium-based), ChakraCore, Exchange Server, Microsoft Dynamics, Azure Sphere, Windows Defender, Microsoft Teams, and Visual Studio. After a brief dip in October, we’re back into the 110+ CVEs per month volume of patches again. That makes eight months this year with this level of patches, so we really need to think of this as the new normal.

Of these 112 patches, 17 are rated as Critical, 93 are rated as Important, and two are rated Low in severity. A total of six of these bugs came through the ZDI program. Only one bug is listed as publicly known and under active attack. You’ll notice some big changes in the documentation for this month’s release (see below for details). Microsoft has decided to withhold the amount of information it publishes about the bugs being patched. Consequently, you’ll see less detail in this blog as well. We’ll still do what we can to parse the release with what data Microsoft does publish and our deep knowledge of bug reports. We do see quite a few of them. Let’s begin take a closer look at some of the more severe bugs in this release, starting with the bug currently being exploited:

-       CVE-2020-17087 - Windows Kernel Local Elevation of Privilege Vulnerability
This privilege escalation bug was publicly disclosed by Google in late October. They noted it was combined with a Chrome bug to escape the browser sandbox and execute code on the target system. While not explicitly stated, the language used makes it seem the exploit is not yet widespread. However, considering there is a full analysis of the bug weeks before the patch, it will likely be incorporated into other exploits quickly.

-       CVE-2020-17084 - Microsoft Exchange Server Remote Code Execution Vulnerability
This patch corrects a code execution bug in Exchange that was reported by Pwn2Own Miami winner Steven Seeley. With no details provided by Microsoft, we can only assume this is the bypass of CVE-2020-16875 he had previously mentioned. It is very likely he will his publish the details of these bugs soon. Microsoft rates this as Important, but I would treat it as Critical, especially since people seem to find it hard to patch Exchange at all.

-       CVE-2020-17051 - Windows Network File System Remote Code Execution Vulnerability
With no description to work from, we need to rely on the CVSS to provide clues about the real risk from this bug. At a 9.8, it’s about as critical as a bug can get. Considering this is listed as no user interaction with low attack complexity, and considering NFS is a network service, you should treat this as wormable until we learn otherwise.

-       CVE-2020-17040 - Windows Hyper-V Security Feature Bypass Vulnerability
Here’s another bug that could be helped by a description. It’s not clear which security feature in Hyper-V is being bypassed or how an attacker can abuse it. Again, the attack complexity is low, authentication is not required, and there is no user interaction. Additional details are needed to accurately judge the risk from this bug, but the title and CVSS values alone put this bug on everyone’s radar.

Here’s the full list of CVEs released by Microsoft for November 2020. 

CVE Title Severity Public Exploited Type
CVE-2020-17087 Windows Kernel Local Elevation of Privilege Vulnerability Important Yes Yes EoP
CVE-2020-17105 AV1 Video Extension Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-16988 Azure Sphere Elevation of Privilege Vulnerability Critical No No EoP
CVE-2020-17048 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No RCE
CVE-2020-17101 HEIF Image Extensions Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17106 HEVC Video Extensions Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17107 HEVC Video Extensions Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17108 HEVC Video Extensions Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17109 HEVC Video Extensions Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17110 HEVC Video Extensions Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17053 Internet Explorer Memory Corruption Vulnerability Critical No No RCE
CVE-2020-17058 Microsoft Browser Memory Corruption Vulnerability Critical No No RCE
CVE-2020-17078 Raw Image Extension Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17079 Raw Image Extension Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17082 Raw Image Extension Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17052 Scripting Engine Memory Corruption Vulnerability Critical No No RCE
CVE-2020-17051 Windows Network File System Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17042 Windows Print Spooler Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-1325 Azure DevOps Server and Team Foundation Services Spoofing Vulnerability Important No No Spoof
CVE-2020-16986 Azure Sphere Denial of Service Vulnerability Important No No DoS
CVE-2020-16981 Azure Sphere Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16989 Azure Sphere Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16992 Azure Sphere Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16993 Azure Sphere Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16985 Azure Sphere Information Disclosure Vulnerability Important No No Info
CVE-2020-16990 Azure Sphere Information Disclosure Vulnerability Important No No Info
CVE-2020-16983 Azure Sphere Tampering Vulnerability Important No No Tampering
CVE-2020-16970 Azure Sphere Unsigned Code Execution Vulnerability Important No No RCE
CVE-2020-16982 Azure Sphere Unsigned Code Execution Vulnerability Important No No RCE
CVE-2020-16984 Azure Sphere Unsigned Code Execution Vulnerability Important No No RCE
CVE-2020-16987 Azure Sphere Unsigned Code Execution Vulnerability Important No No RCE
CVE-2020-16991 Azure Sphere Unsigned Code Execution Vulnerability Important No No RCE
CVE-2020-16994 Azure Sphere Unsigned Code Execution Vulnerability Important No No RCE
CVE-2020-17054 Chakra Scripting Engine Memory Corruption Vulnerability Important No No RCE
CVE-2020-16998 DirectX Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17049 Kerberos Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17090 Microsoft Defender for Endpoint Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17005 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important No No XSS
CVE-2020-17006 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important No No XSS
CVE-2020-17018 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important No No XSS
CVE-2020-17021 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important No No XSS
CVE-2020-17019 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17064 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17065 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17066 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17067 Microsoft Excel Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17085 Microsoft Exchange Server Denial of Service Vulnerability Important No No DoS
CVE-2020-17083 Microsoft Exchange Server Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17084 Microsoft Exchange Server Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17062 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17063 Microsoft Office Online Spoofing Vulnerability Important No No Spoof
CVE-2020-17081 Microsoft Raw Image Extension Information Disclosure Vulnerability Important No No Info
CVE-2020-17086 Microsoft Raw Image Extension Information Disclosure Vulnerability Important No No Info
CVE-2020-16979 Microsoft SharePoint Information Disclosure Vulnerability Important No No Info
CVE-2020-17017 Microsoft SharePoint Information Disclosure Vulnerability Important No No Info
CVE-2020-17061 Microsoft SharePoint Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17016 Microsoft SharePoint Spoofing Vulnerability Important No No Spoof
CVE-2020-17060 Microsoft SharePoint Spoofing Vulnerability Important No No Spoof
CVE-2020-17091 Microsoft Teams Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17020 Microsoft Word Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17000 Remote Desktop Protocol Client Information Disclosure Vulnerability Important No No Info
CVE-2020-16997 Remote Desktop Protocol Server Information Disclosure Vulnerability Important No No Info
CVE-2020-17104 Visual Studio Code JSHint Extension Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17100 Visual Studio Tampering Vulnerability Important No No Tampering
CVE-2020-17102 WebP Image Extensions Information Disclosure Vulnerability Important No No Info
CVE-2020-17010 Win32k Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17038 Win32k Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17013 Win32k Information Disclosure Vulnerability Important No No Info
CVE-2020-17012 Windows Bind Filter Driver Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17113 Windows Camera Codec Information Disclosure Vulnerability Important No No Info
CVE-2020-17029 Windows Canonical Display Driver Information Disclosure Vulnerability Important No No Info
CVE-2020-17024 Windows Client Side Rendering Print Provider Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17088 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17071 Windows Delivery Optimization Information Disclosure Vulnerability Important No No Info
CVE-2020-17007 Windows Error Reporting Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17036 Windows Function Discovery SSDP Provider Information Disclosure Vulnerability Important No No Info
CVE-2020-17068 Windows GDI+ Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17004 Windows Graphics Component Information Disclosure Vulnerability Important No No Info
CVE-2020-17040 Windows Hyper-V Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17035 Windows Kernel Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17045 Windows KernelStream Information Disclosure Vulnerability Important No No Info
CVE-2020-17030 Windows MSCTF Server Information Disclosure Vulnerability Important No No Info
CVE-2020-17069 Windows NDIS Information Disclosure Vulnerability Important No No Info
CVE-2020-17047 Windows Network File System Denial of Service Vulnerability Important No No DoS
CVE-2020-17056 Windows Network File System Information Disclosure Vulnerability Important No No Info
CVE-2020-17011 Windows Port Class Library Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17041 Windows Print Configuration Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17001 Windows Print Spooler Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17014 Windows Print Spooler Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17025 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17026 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17027 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17028 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17031 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17032 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17033 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17034 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17043 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17044 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17055 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-1599 Windows Spoofing Vulnerability Important No No Spoof
CVE-2020-17070 Windows Update Medic Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17073 Windows Update Orchestrator Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17074 Windows Update Orchestrator Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17076 Windows Update Orchestrator Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17077 Windows Update Stack Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17075 Windows USO Core Worker Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17037 Windows WalletService Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16999 Windows WalletService Information Disclosure Vulnerability Important No No Info
CVE-2020-17057 Windows Win32k Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17015 Microsoft SharePoint Spoofing Vulnerability Low No No Spoof
CVE-2020-17046 Windows Error Reporting Denial of Service Vulnerability Low No No DoS

You’ll notice this month’s patch table does not contain the Exploitability Index (XI) rating. Originally, XI was intended to help sysadmins prioritize which patches to test and deploy first. The thought was that some would prioritize Important-rated bugs likely to be exploited over Critical-rated bugs that were unlikely to be exploit. Since that time, security patches from Microsoft have become cumulative. Today, it is rare that you apply one patch for one component – you apply the monthly rollup that fixes many CVEs. Therefore, you have to treat all bugs in that update as though it has the highest XI rating, provided at least one bug fixed has the highest rating. Therefore, it doesn’t make sense to call out the few XI=1 when the whole update should be treat as XI=1. The exploitability index was a good initiative when it was introduced [PDF] back in 2008. These days, it’s an outdated rating that has run its course.

The other big change this month relates to Microsoft’s removal of the description section of the CVE overview. In Microsoft’s examples on their blog explaining the change, they pick some simple cases to review. In those cases, an accurate CVSS is really all you need. After all, there’s only so much you can say about another SharePoint cross-site scripting (XSS) bug or a local privilege escalation that requires you to log on and run a specially crafted program. However, CVSS itself is not flawless. For example, “Privileges Required” and “User Interaction” are relatively straightforward to answer. Other fields, such as “Attack Complexity” does have gray areas where people can disagree on the rating. From Microsoft’s perspective, I’m sure they think they know best about how to rate a bug. There have been times when the researcher who found the bug disagreed.

As someone who has written many bulletins myself, I understand the repetitive nature of these descriptions. I have literally forgotten how many kernel EoP bugs I have written up - and they were all almost identical. However, there are those outlier cases where a description does matter. Two examples are above. Another example is CVE-2020-17049. What security feature in Kerberos is being bypassed? What is the likelihood? As a network defender, I have defenses to mitigate risks beyond just applying security patches. Should I employ those other technologies while the patches roll out? Until I have some idea of the answers to those questions, I can’t accurately assess the risk to my network from this or any of the other bugs with outstanding questions. Hopefully, Microsoft will decide to re-add the executive summaries in future releases.

Back to the actual patches…

Looking at the Critical-rated updates, most involve either one of the browsers or a video codec. We’re seeing more and more research into the multitude of codecs available for Windows, so expect this trend to continue. There’s also a code execution bug in the print spooler that could be worrying. There are quite a few bugs related to Azure Sphere, including a Critical rated one. However, you most likely won’t need to take any action on these bugs. IoT devices running Azure Sphere connected to the Internet check for updates every day and have likely already applied the patches. You only need to take action if your devices are not connected to the Internet or if you are a device manufacturer.

There are a relatively high number of remote code execution bugs getting fixes this month. Beyond the Critical-rated ones already mentioned, the bug in Microsoft Teams stands out – simply because so many students are using Teams right now and may not be as security savvy as adults. It does require user interaction, so remind your kids not to click on links from strangers. There’s also another Exchange Server code execution bug, but this one has a lower CVSS than the one previously mentioned. Steven has been a busy guy.

There are a total of 37 elevation of privilege (EoP) bugs getting fixes this month. In most of these cases, an attacker would need to log in to a target system then run a specially crafted program to escalate privileges. There are a couple of exceptions, such as CVE-2020-17012. IN this case, the specific flaw exists within the bindflt.sys driver. A crafted request with an IOCTL of 0x220000 can perform remapping of directories. This was reported through the ZDI program, so we do have a good understanding of this bug.

There are a significant number of information disclosure bugs being addressed this month as well. For the most part, the information leaked consists of unspecified memory contents. There are a couple of exceptions. The first impacts Azure Sphere and could allow attackers to find device information like resource IDs, SAS tokens, user properties, and other sensitive information. There’s also a bug in SharePoint that could allow attackers to read from the file system.

Six patches address spoofing bugs, but without a description, it’s difficult to guess what these might be. The spoofing bugs in SharePoint typically indicate XSS, but CVE-2020-1599 title “Windows Spoofing Vulnerability” could be just about anything. The same could be said for the tampering fixes for Azure Sphere and Visual Studio. The November release is rounded out by four patches to address XSS in Microsoft Dynamics 365.

The lone advisory for this month is the revision update to the Windows Servicing Stack, which adds updates for all supported versions of Windows.

Looking Ahead

The final Patch Tuesday for 2020 falls on December 8, and we’ll return with details and patch analysis then. Until then, stay safe, enjoy your patching, and may all your reboots be smooth and clean!