10
Nov 20

Patch Tuesday, November 2020 Edition

Adobe and Microsoft each issued a bevy of updates today to plug critical security holes in their software. Microsoft’s release includes fixes for 112 separate flaws, including one zero-day vulnerability that is already being exploited to attack Windows users. Microsoft also is taking flak for changing its security advisories and limiting the amount of information disclosed about each bug.

Some 17 of the 112 issues fixed in today’s patch batch involve “critical” problems in Windows, or those that can be exploited by malware or malcontents to seize complete, remote control over a vulnerable Windows computer without any help from users.

Most of the rest were assigned the rating “important,” which in Redmond parlance refers to a vulnerability whose exploitation could “compromise the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources.”

A chief concern among all these updates this month is CVE-2020-17087, which is an “important” bug in the Windows kernel that is already seeing active exploitation. CVE-2020-17087 is not listed as critical because it’s what’s known as a privilege escalation flaw that would allow an attacker who has already compromised a less powerful user account on a system to gain administrative control. In essence, it would have to be chained with another exploit.

Unfortunately, this is exactly what Google researchers described witnessing recently. On Oct. 20, Google released an update for its Chrome browser which fixed a bug (CVE-2020-15999) that was seen being used in conjunction with CVE-2020-17087 to compromise Windows users.

If you take a look at the advisory Microsoft released today for CVE-2020-17087 (or any others from today’s batch), you might notice they look a bit more sparse. That’s because Microsoft has opted to restructure those advisories around the Common Vulnerability Scoring System (CVSS) format to more closely align the format of the advisories with that of other major software vendors.

But in so doing, Microsoft has also removed some useful information, such as the description explaining in broad terms the scope of the vulnerability, how it can be exploited, and what the result of the exploitation might be. Microsoft explained its reasoning behind this shift in a blog post.

Not everyone is happy with the new format. Bob Huber, chief security officer at Tenable, praised Microsoft for adopting an industry standard, but said the company should consider that folks who review Patch Tuesday releases aren’t security practitioners but rather IT counterparts responsible for actually applying the updates who often aren’t able (and shouldn’t have to) decipher raw CVSS data.

“With this new format, end users are completely blind to how a particular CVE impacts them,” Huber said. “What’s more, this makes it nearly impossible to determine the urgency of a given patch. It’s difficult to understand the benefits to end-users. However, it’s not too difficult to see how this new format benefits bad actors. They’ll reverse engineer the patches and, by Microsoft not being explicit about vulnerability details, the advantage goes to attackers, not defenders. Without the proper context for these CVEs, it becomes increasingly difficult for defenders to prioritize their remediation efforts.”

Dustin Childs with Trend Micro‘s Zero Day Initiative also puzzled over the lack of details included in Microsoft advisories tied to two other flaws fixed today — including one in Microsoft Exchange Server (CVE-2020-16875) and CVE-2020-17051, which is a scary-looking weakness in the Windows Network File System (NFS).

The Exchange problem, Childs said, was reported by the winner of the Pwn2Own Miami bug finding contest.

“With no details provided by Microsoft, we can only assume this is the bypass of CVE-2020-16875 he had previously mentioned,” Childs said. “It is very likely he will publish the details of these bugs soon. Microsoft rates this as important, but I would treat it as critical, especially since people seem to find it hard to patch Exchange at all.”

Likewise, with CVE-2020-17051, there was a noticeable lack of detail for bug that earned a CVSS score of 9.8 (10 is the most dangerous).

“With no description to work from, we need to rely on the CVSS to provide clues about the real risk from the bug,” Childs said. “Considering this is listed as no user interaction with low attack complexity, and considering NFS is a network service, you should treat this as wormable until we learn otherwise.”

Separately, Adobe today released updates to plug at least 14 security holes in Adobe Acrobat and Reader. Details about those fixes are available here. There are no security updates for Adobe’s Flash Player, which Adobe has said will be retired at the end of the year. Microsoft, which has bundled versions of Flash with its Web browsers, says it plans to ship an update in December that will remove Flash from Windows PCs, and last month it made the removal tool available for download.

Windows 10 users should be aware that the operating system will download updates and install them on its own schedule, closing out active programs and rebooting the system. If you wish to ensure Windows has been set to pause updating so you can back up your files and/or system, see this guide.

But please do back up your system before applying any of these updates. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

Tags: , , , , , , , , , ,

31 comments

  1. The new advisory format is truely useless…browsing the releases I am hard pressed to know what to do first. Perhaps this is Microsoft’s way of saying “Just install it all, don’t deliberate about what to do first.” Certainly makes testing in a corporate environment tricky….

  2. Microsoft acts as if all of their customers are ignorant idiots who cannot be trusted. They really need to being shift gears so their messages matches the level of understanding for their various customers. This is called customer service.

    • If you want to shift gears, you would have to close all windows and restart the car……

    • “Microsoft acts as if all of their customers are ignorant idiots who cannot be trusted ”

      That’s because they are?

      • A fairly large portion of endusers could certainly be called idiots when it comes to securing their systems and/or keeping them up to date.

        • Ah, I see now! You sell me a complex tech product, one that is constantly under threat of takeover from outside, but I am an “idiot”, according to tech nerds, if I don’t stay on 24/7 alert status and then jump at every chance to alter the thing you sold me, according to your instructions, and do so nearly instantly.

          End users may be “ignorant” but the idiocy lies elsewhere.

          • It’s not that “complex” to hit update after signing in. It’s not Microsoft’s fault that malicious people are creating new threats on the daily. They used to make the updates automatic, but people complained since it throttled their system for a while. Make up your mind, do you want to be doing it manually, or have it done automatically at the expense of some system resources?

            • But, is it the consumers fault, or a bad product? Is it the consumers fault that something they are doing is dangerous? Is it the consumers fault they bought a dangerous product? You buy a product to use for a function, say a hammer, or access to emails, or play a game, is it the consumers fault if the product does not work as intended? A improperly made hammer head may shatter, or the hammer handle may break, you know not to buy that product again,, and there are many other nail drivers to peruse to purchase. But computer system programs? Grandma wants to view cats, or her grandchild’s latest adventure, should she have to become a fully trained doctor oftheroitical physics to do that? Or attend a security class in computer subsystems to update her knowledge? No, that’s what the programmer does. He is supposed to make it simple for grandma’s who want to view cats. That’s his job. And, yes, there are bad, or incompetent people out there.

          • Ubuntu 18.04 updates in less than 5 minutes, many times doesn’t require a reboot and when it does it tells you. Microsoft has been at this bloody game for over 30 years and the operation of their updates still sucks as bad as it did when I had to insert floppies. Please, there is no logical reason why an update should crash your machine of force you to backups on pain of data loss… Nor should an update take hours to perform. That just leads to negative customer experience and migration to other platforms, at least if you know how to do so.

  3. Thanks for the rundown on the updates and for a fantastic blog.

  4. http://www.intel.com/content/www/us/en/security-center/default.html

    Be sure to click “Show more” for maximum effect.
    Now scroll back up. Take it all in.

  5. If my laptop not performance bsod or unexpectedly reboots, do i must install the microcode update for my cpu? Iam worry install the kb4589208

    • Go to the web site named “Ask Woody”, and sign up for their newsletter, and possibly make a small donation ( it is free mostly); his site has just been taken by an administrator who is an expert on update issues; she’s been writing on his site for years, even back when it was called “Windows Secrets” Everything is written so a layman can understand it, and the discussion lounge is fantastic for solving contemporary computing problems.

      • Thank you for the suggestion about Ask Woody, and noting that a layperson can understand it. Perfect for me!

        • You are welcome! I try to make it my retired life’s work to help people resist computer crime in any way I can, and do it for free. There may be times I look like a shill, but nobody pays my bills but me. Thanks!

          • Yeah me too not as a retired thing I help people in what little free time I have after work. A lot of recovery repair and damage control followed by education. I’ve helped with identity theft and computer compromise. I wish the education could come first but most people until they are hit think everything is fine.

      • JC, most excellent advice ! I have used Woody numerous times, however, now I am a Linux man. Mint and Manjaro are
        updated at least twice per week.

        For those whom wish to continue to use Windoze, I would bookmark “Axe Woody” as it is the best website for explaining Doze updates.

  6. I do not understand any of this Microsoft info.

    Why does Microsoft go ahead and secure my account automatically
    and then let me know it is done.?

    Why do we need to go through all the crap.?
    JUST FIX IT.

  7. My Bluetooth headphones worked. I installed Nov. 2020 windows patch. Now I get a notice, “Couldn’t connect.” I proceeded through the various fixes with no effect. This seems like a cause and effect scenario. Hopefully, a fix soon.

    • Nancy, Windows BT is an odd-duck. I have 3 or 4 different things musical like BT100- Cambridge – Avantree D60 Apt-x HD usb, headphones …etc that at times refuse to reconnect. *I use Linux Ubuntu MATE most the time. They connect there with no issues. But when I try and connect, it refuses on Windows. I have found when you DELETE the device and select the BT area to add a new device … it works. Don’t know why it does this, I don’t really care as I’m on Linux, but with each BT device, I find I had to DELETE it and re-do the process if I had trouble connecting on Windows. Thanks to Mr. Krebs for all his work too. It’s fun to see him foiling the slugs and thugs on the world.

  8. I haven’t gotten the update notification yet but I did get pushed from 1903 to 1909 yesterday. No apparent problems.

  9. Dammit. They roll out this garbage and I have to waste a whole bunch of my time debugging Windows Update failures. This time around there is just one machine that sort of tries to apply the patch, and then it gets to 90%, complains and rolls back. Takes about an hour each time I try.

  10. After the November update and my computer rebooting overnight, my bluetooth also has stopped working.

  11. Thanks Brian for keeping us updated with these patches. Would be nice to have some more info from Microsoft but I can understand their intention of cleaning it up and making the data simpler to read.

  12. This latest update caused issues with Adobe Pbotoshop as I could not open any files in photoshop… doing a roll back to before update now… grrrr

  13. I can’t even get my computer to function outside of safe mode with the new update. It boots up and I’m stuck with the bsod.

  14. NFS is not Windows-specific. It was originally developed by Sun in the early 80s.

  15. This update got installed on one of my remote location servers and now RDT keeps connecting and reconnecting making it almost unusable. Everything was fine before this update got installed. I blame myself for not remembering to switch off autoupdate, but now the box is almost inaccessible for all intents and purposes.

    Anyone else experiencing this? I have checked the RDT setting on each end and they look fine (i.e. the same as they were before the update)

Leave a comment