Another Patch Tuesday is here, and we are back into the triple digits. It is almost a relief; last month was such an outlier that I assumed an error in reporting. It looks like for November, 112 vulnerabilities are being patched, with 17 being rated as critical. One is actively being exploited. Microsoft has rolled out its new Security update guide, and with that comes much less information on what is being patched. So I suppose we will see below how close I can make this similar to previous month’s blogs.
Some highlights (or lowlights)
CVE-2020-17087: This one was disclosed by Google late last month. It is combined with a Chrome bug that will allow an attacker to escape the browser sandbox and execute code on the target system. This one is considered actively used and known. Even being known, the patch is deemed to be Important, not Critical, which seems odd.
CVE-2020-17051: This vulnerability has to do with NFS. Without seeing more information about this, I can tell you that it is rated a 9.8 on CVSS, which is just about as bad as can be. The complexity required is low, and it does not require user interaction. Add those together, and I think it is safe to assume this one will be getting a name as more information is released.
CVE-2020-17042: This is a vulnerability for the Print Spooler Service. It also has a low complexity for an attack, but it does require user interaction, so it is not as big a risk as we assume CVE-2020-17051 is.
While we lack as much information as we used to have, based on context clues, we can gather that this one has some pretty severe issues that we want to get patched as soon as possible. It has known exploits and exploits based on what we have looked like; it could be workable. Overall, 24 vulnerabilities can be attacked by Remote Execution, and two (one for Sharepoint CVE-2020-17061) does not require user interaction to exploit. So test quickly and patch soon.
Jordan had spent his life wondering why tasks he didn’t like to do had no options to complete themselves. Eventually he had to make that happen on his own. It turned out that he enjoyed making tasks complete themselves, and PDQ thought that is something he should talk about on the internet while drinking most Thursdays on the PDQ webcast.