October’s security patch bundle from Microsoft resolves 87 vulnerabilities, 12 rated as critical. One of these is a flaw in the Windows TCP/IP stack which can result in a server crash or remote code execution simply by sending a specially crafted ICMPv6 request.
While it is technically challenging to achieve a remote code execution, the ICMP flaw (CVE-2020-16898) in Windows can much more easily be leveraged to trigger a Blue Screen of Death and crash the server. McAfee warns in a blog post that the vulnerability is wormable and needs to be patched urgently. It is worth noting that this vulnerability is not routable over the internet – the attacker must be on a local subnet with the target.
The NCSC Threat Report for 16th October notes the Windows vulnerability (CVE-2020-16898) and points to the US CISA Advisory that criminal gangs are chaining legacy vulnerabilities with the Windows Netlogon vulnerability (aka Zero Logon – CVE-2020-1472) to craft new attacks.
This underlines the importance of patching regularly as updates are released by your software vendors.
Also noteworthy in the Microsoft October patch bundle is a remote code execution vulnerability in Microsoft Outlook which can be leveraged through the preview pane (CVE-2020-16947).
This month also marks the final security updates for Microsoft Office 2010 which reaches end of support as of 13thOctober 2020. Given the prevalence of MS Office based documents for malware delivery, security managers are advised to hunt down any remaining Office 2010 installations on their networks.