The November security patch bundle from Microsoft fixes 112 security vulnerabilities in their products, including 12 Remote Code Execution vulnerabilities.
Noteworthy vulnerabilities fixed this month include:
Windows Kernel Local Elevation of Privilege: CVE-2020-17087
Observed under active attack in the wild by Google, CVE-2020-17087 is an elevation of privilege vulnerability that was being used in conjunction with a recently patched Chrome vulnerability (CVE-2020-15999) to attack Windows systems. This vulnerability in the Windows Kernel Cryptography Driver was disclosed last week and the fix is included in this week’s patch bundle.
Windows Network File System Remote Code Execution Vulnerability: CVE-2020-17051
Microsoft has changed the level of detail disclosed in their patch notes, and no longer provide a plain English description of the vulnerability nor how it could be exploited. This bug has been awarded a CVSS score of 9.8 and is described as having a low level of attack complexity and not requiring user interaction to exploit. It would be prudent to assume this is a wormable attack and get the patch installed promptly in the absence of any other details.
Microsoft Exchange Server Remote Code Execution Vulnerability: CVE-2020-17084
Again, details of this vulnerability are sparse from Microsoft, although the CVSS summary indicates this vulnerability can be exploited over the network by an unauthenticated attacker and no user interaction is required for the attack to succeed. Exchange can be one of the tricker systems to patch if an outage of the Email service is required or risked by the patching – so get this one on the calendar as soon as possible.