Microsoft patches actively exploited Windows Kernel flaw

The patch is one of 112 issued in November's Patch Tuesday

Microsoft has released fixes for 112 vulnerabilities, including an actively-exploited zero-day flaw, as part of its November 2020 Patch Tuesday, 

Of the 112 vulnerabilities fixed, 17 were classified as 'critical', 93 as 'important', and two as 'moderate'.

Among the fixes issued by Microsoft was a patch for a zero-day privilege escalation vulnerability in the Windows Kernel Cryptography Driver (cng.sys), tracked under CVE-2020-17087.

According to Tenable staff research engineer Satnam Narang, CVE-2020-17087 was “exploited in the wild as part of a vulnerability chain with CVE-2020-15999, a buffer overflow vulnerability in the FreeType 2 library used by Google Chrome”.

“The elevation of privilege vulnerability was used to escape Google Chrome’s sandbox in order to elevate privileges on the exploited system. This is the second vulnerability chain involving a Google Chrome vulnerability and a Windows vulnerability that was exploited in the last year,” he said.

Narang added that “chaining vulnerabilities is an important tactic for threat actors”.

“The Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory with the FBI last month that highlighted threat actors chaining unpatched vulnerabilities to gain initial access into a target environment and elevate privileges.

"Even though Google and Microsoft have now patched these flaws, it is imperative for organizations to ensure they’ve applied these patches before threat actors begin to leverage them more broadly."

Microsoft was also criticised for removing CVE description information from its Patch Tuesday release. Tenable CSO Bob Huber described the decision as a “bad move, plain and simple”, adding that “by relying on CVSSv3 ratings alone, Microsoft is eliminating a ton of valuable vulnerability data that can help inform organizations of the business risk a particular flaw poses to them”.

"While I appreciate that they are adopting the industry-standard format in CVSSv3, Microsoft also must consider that many folks who review Patch Tuesday releases aren’t security practitioners. They are the IT counterparts responsible for actually applying the updates who often aren’t able (and shouldn’t have to) decipher raw CVSS data,” said Huber.

Adobe has also released a small security update to resolve vulnerabilities in Connect and Reader Mobile. This comes just days after the software provider urged Windows and macOS users to update their Acrobat and Reader applications after discovering that they contained flaws that could be exploited to execute arbitrary code.

Featured Resources

Four cyber security essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

Recommended

Sopra Steria cyber attack costs to hit €50 million
Security

Sopra Steria cyber attack costs to hit €50 million

26 Nov 2020
Sophos warns customers of potential data leak
Security

Sophos warns customers of potential data leak

26 Nov 2020
Weekly threat roundup: VMware, GitHub, Facebook, and MobileIron
Security

Weekly threat roundup: VMware, GitHub, Facebook, and MobileIron

26 Nov 2020
Egregor ransomware could take up where Maze left off
Security

Egregor ransomware could take up where Maze left off

26 Nov 2020

Most Popular

80% of cyber professionals say the Computer Misuse Act is working against them
Security

80% of cyber professionals say the Computer Misuse Act is working against them

20 Nov 2020
Cisco acquires container security startup Banzai Cloud
Security

Cisco acquires container security startup Banzai Cloud

18 Nov 2020
350,000 Spotify users hacked in credential stuffing attack
Security

350,000 Spotify users hacked in credential stuffing attack

24 Nov 2020