It’s been a while since the last edition, but welcome back to the seventh edition of PatchWork! For this October Patch Tuesday, amazingly, we have fewer than 100 vulnerabilities to take care of, the first month in a series of 8 months in which this has occurred. There’s a couple of these that we need to pay attention to, so without further ado, let’s dive into them!
Would You Be My “Bad Neighbor”?
An exploit that has recently been patched was a very easily abused Windows 10 and Windows Server 2019 bug, that could be used to install malware just by sending a malformed packet of data at a vulnerable system. Security vendor McAfee has dubbed this certain exploit, CVE-2020-16898, “Bad Neighbor”. It is apparently “extremely simple and perfectly reliable”, noting that this exploit is imminently “wormable”, meaning it can be weaponized into a threat spreading quickly within a network.
McAfee’s Steve Povolny is quoted: “It results in an immediate BSOD (Blue Screen of Death), but more so, indicates the likelihood of exploitation for those who can manage to bypass Windows 10 and Windows Server 2019 mitigations. The effects of an exploit that would grant remote code execution would be widespread and highly impactful, as this type of bug could be made wormable.”
It would be recommended for all sysadmins who manage a 2019 server or a Windows 10 network to push this patch through, at least in this security aspect, if nothing else.
Microsoft Outlook’s Preview Pane – A Method of Attack
Trend Micro’s Zero Day Initiative (ZDI) also called attention to another critical bug that was successfully patched this month – CVE-2020-16947, which is a problem resulting from simply previewing a malicious email in Outlook leading to malware being loaded onto a system. This bug also has to do with the way objects are managed in memory, which includes simply seeing the email in the Preview Pane.
Other problems that were addressed were a few from Exchange Server, Visual Studio, .NET Framework, and a whole slew of other Windows components.
All in all, it ended up being a much better month for Microsoft, with fewer vulnerabilities to repair, and only a couple of major ones being spotted on the home front by various security firms. Remember to keep your systems updated, while exercising a healthy level of caution, and stick around for PatchWork to help your Patch Tuesday work for you!