Microsoft has issued its first patch update for eight months fixing fewer than 100 CVEs, although six are related to publicly disclosed bugs and will need prioritizing.
October’s Patch Tuesday yesterday addressed 87 vulnerabilities including 11 rated critical.
Many experts pointed to CVE-2020-16898, which has a CVSS score of 9.8, as a priority.
“This is a remote code execution vulnerability in Microsoft’s TCP/IP stack. The vulnerability is in the way the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets,” explained Recorded Future senior security architect, Allan Liska.
“For successful exploitation of this vulnerability, all an attacker has to do is send a specially crafted ICMPv6 Router Advertisement packet to a remote Windows computer. This vulnerability impacts Windows 10 and Windows Server 2019 and should be patched immediately.”
Elsewhere, five of the six bugs affect Windows 10 and related server editions: CVE-2020-16908, CVE-2020-16909, CVE-2020-16901, CVE-2020-16885 and CVE-2020-16938. The sixth affects the .Net Framework (CVE-2020-16937).
Todd Schell, senior product manager at Ivanti, also pointed to CVE-2020-16947, a vulnerability in Microsoft Outlook which could allow remote code execution just by viewing a specially crafted email.
“The Preview Pane is an attack vector here, so you don’t even need to open the mail to be impacted,” he added. “The flaw exists within the parsing of HTML content in an email. Patch this one quickly. It will be an attractive target for threat actors.”
Another RCE flaw, this time in Windows Hyper-V, is CVE-2020-16891.
“This patch corrects a bug that allows an attacker to run a specially crafted program on an affected guest OS to execute arbitrary code on the host OS. A guest OS escape like this would also be very attractive to threat actors,” said Schell.
Microsoft also released a preview of its new update guide this month. It’s designed to provide a more intuitive layout so sysadmins can get to the risk-based information they need quicker, including exploited and publicly disclosed vulnerabilities.