Microsoft has released its October 2020 security updates, which is fixes for 87 vulnerabilities in Microsoft products and Adobe Flash Player update. This post will give our vulnerability score and tips around each patch released.
Out of the 87 patches, 12 are classed as critical, 74 are classed as important and 1 is classed as moderate.
Top Vulnerabilities:
While there were no zero-days this month, there is a handful that are more interesting critical vulnerabilities:
- CVE-2020-16911: GDI+ Remote Code Execution Vulnerability
- CVE-2020-16947: Microsoft Outlook Remote Code Execution Vulnerability
- CVE-2020-16898: Windows TCP/IP Remote Code Execution Vulnerability
- CVE-2020-16891: Windows Hyper-V Remote Code Execution Vulnerability
- CVE-2020-16915: Media Foundation Memory Corruption Vulnerability
Other Products:
There were other companies who have also released their security updates for this month:
- Adobe: Adober Flash Player
- Apple: macOS, tvOS and watchesODS
- Intel: October 2020 platform update
- SAP: October 2020 security updates
All the patches can be found in the table below or alternatively downloaded here.
We have also curated a Patching Best Practice.
Category |
Count |
CVE IDs |
CVE Title |
Severity |
FIT Score |
Tip |
|
1
|
CVE-2020-16937 |
.NET Framework Information Disclosure Vulnerability |
Important |
|
This update is in your normal monthly updates for Windows Operating Systems. |
Adobe Flash Player |
1 |
ADV200012 |
October 2020 Adobe Flash Security Update |
Critical |
5/5 |
Flash is still being utilised on various platforms, this is definietly worth applying even with the ending support for Flash coming, 31/12/2020. This is a separate patch to the monthly roll ups. |
Azure |
2 |
CVE-2020-16995 CVE-2020-16904 |
Network Watcher Agent Virtual Machine Extension for Linux Elevation of Privilege Vulnerability Azure Functions Elevation of Privilege Vulnerability |
Important |
3/5 |
The first CVE relates to Linux VM's in Azure - It's worth noting a lot of Appliance based VM's are based on Linux so may be effected. The second CVE has no patch to resolved, but a restart of your Azure Functions app with update it. |
Group Policy |
1 |
CVE-2020-16939 |
Group Policy Elevation of Privilege Vulnerability |
Important |
3/5 |
This update is in your normal monthly updates for Windows Operating Systems. |
Microsoft Dynamics |
3 |
CVE-2020-16978 CVE-2020-16956 CVE-2020-16943 |
Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability Dynamics 365 Commerce Elevation of Privilege Vulnerability |
Important |
2/5 |
This update should be applied if you have Microsoft Dynamics. |
Microsoft Exchange Server |
1 |
CVE-2020-16969 |
Microsoft Exchange Information Disclosure Vulnerability |
Important |
2/5 |
This update should be applied if you have on premise Exchange. |
Microsoft Graphics Component |
2 |
CVE-2020-16911 CVE-2020-16923 |
GDI+ Remote Code Execution Vulnerability Microsoft Graphics Components Remote Code Execution Vulnerability |
Critical |
4/5 |
This update is in your normal monthly updates for Windows Operating Systems. |
Microsoft Graphics Component |
2 |
CVE-2020-16914 CVE-2020-1167 |
Windows GDI+ Information Disclosure Vulnerability Microsoft Graphics Components Remote Code Execution Vulnerability |
Important |
4/5 |
This update is in your normal monthly updates for Windows Operating Systems. |
Microsoft NTFS |
1 |
CVE-2020-16938 |
Windows Kernel Information Dosclosure Vulnerability |
Important |
3/5 |
Applicable to Windows 10 Version 2004. Forms part of the monthly cumulative update. |
Microsoft Office |
2
|
CVE-2020-16947 CVE-2020-17003 |
Microsoft Outlook Remote Code Execution Vulnerability Base3D Remote Code Execution Vulnerability |
Critical |
5/5 |
A set of specific updates for various Microsoft Office versions have been released. Bare in mind that later versions, like 365 , require Click to Run. |
Microsoft Office |
11 |
CVE-2020-16933 CVE-2020-16929 CVE-2020-16934 CVE-2020-16932 CVE-2020-16930 CVE-2020-16955 CVE-2020-16928 CVE-2020-16957 CVE-2020-16918 CVE-2020-16931 CVE-2020-16954 |
Microsoft Word Security Feature Bypass Vulnerability Microsoft Excel Remote Code Execution Vulnerability Microsoft Office Click-to-Run Elevation of Privilege Vulnerability Microsoft Excel Remote Code Execution Vulnerability Microsoft Office Click-to-Run Elevation of Privilege Vulnerability Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability Base3D Remote Code Execution Vulnerability Microsoft Excel Remote Code Execution Vulnerability Microsoft Office Remote Code Execution Vulnerability |
Important |
5/5 |
A set of specific updates for various Microsoft Office versions have been released. Bare in mind that later versions, like 365, require Click to Run. |
Microsoft Office |
1 |
CVE-2020-16949 |
Microsoft Outlook Denial of Service Vulnerability |
Moderate |
3/5 |
A set of specific updates for Microsoft Outlook versions have been released. Bare in mind that later versions, like 365, require Click to Run. |
Microsoft Office Sharepoint |
2 |
CVE-2020-16951 CVE-2020-16952 |
Microsoft SharePoint Remote Code Execution Vulnerability Microsoft SharePoint Remote Code Execution Vulnerability |
Critical |
4/5 |
Essential if SharePoint is run on-premise. SharePoint Online is updated by Microsoft automatically. |
Microsoft Office Sharepoint |
8 |
CVE-2020-16948 CVE-2020-16953 CVE-2020-16942 CVE-2020-16944 CVE-2020-16945 CVE-2020-16946 CVE-2020-16941 CVE-2020-16950 |
Microsoft SharePoint Information Disclosure Vulnerability Microsoft SharePoint Reflective XSS Vulnerability Microsoft Office SharePoint XSS Vulnerability |
Important |
4/5 |
These form part of the same updates as the above. Applying these updates take care of all on premise SharePoint vulnerabilities. |
Microsoft Windows |
1 |
CVE-2020-16898 |
Windows TCP/IP Remote Code Execution Vulnerability |
Critical |
4/5 |
This update is in your normal monthly updates for Windows Operating Systems. |
Microsoft Windows |
29 |
CVE-2020-16900 CVE-2020-16901 CVE-2020-16899 CVE-2020-16908 CVE-2020-16909 CVE-2020-16912 CVE-2020-16940 CVE-2020-16907 CVE-2020-16936 CVE-2020-16897 CVE-2020-16895 CVE-2020-16919 CVE-2020-16921 CVE-2020-16920 CVE-2020-16972 CVE-2020-16877 CVE-2020-16876 CVE-2020-16975 CVE-2020-16973 CVE-2020-16974 CVE-2020-16922 CVE-2020-0764 CVE-2020-16980 CVE-2020-1080 CVE-2020-16887 CVE-2020-16885 CVE-2020-16924 CVE-2020-16976 CVE-2020-16935 |
Windows Event System Elevation of Privilege Vulnerability Windows Kernel Information Disclosure Vulnerability Windows TCP/IP Denial of Service Vulnerability Windows Setup Elevation of Privilege Vulnerability Windows Error Reporting Elevation of Privilege Vulnerability Windows Backup Service Elevation of Privilege Vulnerability Windows - User Profile Service Elevation of Privilege Vulnerability Win32k Elevation of Privilege Vulnerability Windows Backup Service Elevation of Privilege Vulnerability NetBT Information Disclosure Vulnerability Windows Error Reporting Manager Elevation of Privilege Vulnerability Windows Enterprise App Management Service Information Disclosure Vulnerability Windows Text Services Framework Information Disclosure Vulnerability Windows Application Compatibility Client Library Elevation of Privilege Vulnerability Windows Backup Service Elevation of Privilege Vulnerability Windows Elevation of Privilege Vulnerability Windows Spoofing Vulnerability Windows Storage Services Elevation of Privilege Vulnerability Windows iSCSI Target Service Elevation of Privilege Vulnerability Windows Hyper-V Elevation of Privilege Vulnerability Windows Network Connections Service Elevation of Privilege Vulnerability Windows Storage VSP Driver Elevation of Privilege Vulnerability Jet Database Engine Remote Code Execution Vulnerability Windows Backup Service Elevation of Privilege Vulnerability Windows COM Server Elevation of Privilege Vulnerability |
Important |
4/5 |
This update is in your normal monthly updates for Windows Operating Systems. |
Microsoft Windows Codecs Library |
2 |
CVE-2020-16967 CVE-2020-16968 |
Windows Camera Codec Pack Remote Code Execution Vulnerability |
Critical |
4/5 |
This vulnerability has updates for Windows 10 only. |
PowerShellGet |
1 |
CVE-2020-16886 |
PowerShellGet Module WDAC Security Feature Bypass Vulnerability |
Important |
3/5 |
This is an update for PowerShellGet, which can be done by invoking a Powershell command to update it. |
Visual Studio |
1 |
CVE-2020-16977 |
Visual Studio Code Python Extension Remote Code Execution Vulnerability |
Important |
3/5 |
This update is not delivered by Windows Update, but rather the Visual Studio Marketplace. |
Windows COM |
1 |
CVE-2020-16916 |
Windows COM Server Elevation of Privilege Vulnerability |
Important |
3/5 |
This update is in your normal monthly updates for Windows Operating Systems. |
Windows Error Reporting |
1 |
CVE-2020-16905 |
Windows Error Reporting Elevation of Privilege Vulnerability |
Important |
3/5 |
Applicable to Windows 10, 2016 and 2019 operating systems only. |
Windows Hyper-V |
2 |
CVE-2020-16894 CVE-2020-1243 |
Windows NAT Remote Code Execution Vulnerability Windows Hyper-V Denial of Service Vulnerability |
Important |
3/5 |
Applicable to Windows 10, 2016 and 2019 operating systems only. |
Windows Hyper-V |
1 |
CVE-2020-16891 |
Windows Hyper-V Remote Code Execution Vulnerability |
Critical |
4/5 |
This update is in your normal monthly updates for Windows Operating Systems. |
Windows Installer |
1 |
CVE-2020-16902 |
Windows Installer Elevation of Privilege Vulnerability |
Important |
3/5 |
This update is in your normal monthly updates for Windows Operating Systems. |
Windows Kernel |
5 |
CVE-2020-16889 CVE-2020-16892 CVE-2020-16913 CVE-2020-1047 CVE-2020-16910 |
Windows KernelStream Information Disclosure Vulnerability Windows Image Elevation of Privilege Vulnerability Win32k Elevation of Privilege Vulnerability Windows Hyper-V Elevation of Privilege Vulnerability Windows Security Feature Bypass Vulnerability |
Important |
3/5 |
This update is in your normal monthly updates for Windows Operating Systems. |
Windows Media Player |
1 |
CVE-2020-16915 |
Media Foundation Memory Corruption Vulnerability |
Critical |
4/5 |
Applicable to Windows 10, 2016 and 2019 operating systems only. |
Windows RDP |
3 |
CVE-2020-16863 CVE-2020-16927 CVE-2020-16896 |
Windows Remote Desktop Service Denial of Service Vulnerability Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability |
Important |
3/5 |
The first CVE relates to Windows 7 and 2008 R2 so are only applicable if you purchased an ESU. The second is applicable all operating systems and contained within the normal monthly patching. |
Windows Secure Kernel mode |
1 |
CVE-2020-16890 |
Windows Kernel Elevation of Privilege Vulnerability |
Important |
3/5 |
Applicable to Windows 10, 2016 and 2019 operating systems only. |
About the Author: Lizzie Arcari
Lizzie joined Foundation IT in 2019 after graduating from University. She is excited to develop her career in the IT industry, learning from the best.