News

Microsoft's Patch Rollout Comes in Under 100 for First Time in Months

• By Kurt Mackie
• 10/13/2020

Microsoft addressed just 87 common vulnerabilities and exposures (CVEs) in its October security patch bundle, the first time in months that it has patched under 100 vulnerabilities.

Previous "update Tuesday" releases this year have typically delivered about 110 security patches each month -- a record-breaking streak. That pattern is now broken with the October bundle, per Trend Micro researcher Dustin Childs, in a Zero Day Initiative (ZDI) blog post. 

To hear Cisco's Talos team tell it, though, the October bundle still delivered patches for "more than 100 vulnerabilities."

Todd Schell, a senior product manager for security at Ivanti, affirmed the 87 CVE count. 

For those wanting a definitive count (or wanting to count themselves), Microsoft's currently published "Security Update Guide" for October lets you scroll through 92 pages of mind-numbingly repetitive entries. This guide also includes a maybe hopeful link to a preview version of the guide. It wasn't exactly clear what's different with the preview version. There seems to be more filtering options in it.

Last week, Microsoft also described an improvement in which it is adding Windows Knowledge Base article reference numbers within the URLs that are used to access those articles.

Of the October total, 11 CVEs were rated "Critical" in severity by Microsoft, with 75 deemed "Important," per the ZDI count. There's also one CVE considered to be "Moderate." The cover Windows, Office, SharePoint and many other software products.

Publicly Known CVEs
Six of the CVEs, all rated Important, were described as being publicly known vulnerabilities before Tuesday's patch release. However, none were listed as having been exploited. The six publicly known vulnerabilities are CVE-2020-16937, CVE-2020-16909, CVE-2020-16901, CVE-2020-16938, CVE-2020-16908 and CVE-2020-16885.

These publicly known CVEs should be considered to bear greater risk, Schell suggested. It's thought to take just 22 days to exploit a known vulnerability, on average. Schell also explained what "public disclosure" means for security vulnerabilities:

Public Disclosure could mean a couple things. It could be that a demonstration of exploit was performed at an event or by a researcher. It could also mean proof-of-concept code has been made available. In any case a public disclosure does mean that threat actors have advanced warning of a vulnerability and this gives them an advantage.

Patch Highlights
For an overall glimpse of the affected software, Microsoft published its "Release Notes" for the October security updates, which offers a partial list. It shows things like Azure Functions, Exchange Server, Visual Studio, PowerShellGet and Microsoft Dynamics, among the usual products that get patches each month.

Notably absent from the October bundle were patches for Microsoft's browsers. "Not sure I remember the last time that has happened," Schell said via e-mail.

Of course, in terms of addressing sheer numbers, patching Windows systems is a no-brainer for organizations, according to Richard Tsang, a senior software engineer at Rapid7. Via an e-mailed comment, he quantified the Windows patching effect this month as follows:

As usual, whenever possible, it's better to prioritize updates against the Windows operating system. Coming in at 53 of the 87 vulnerabilities, patching the OS knocks out 60% of the vulnerabilities listed along with over half of the critical remote code execution vulnerabilities resolved today.

Of the Critical vulnerabilities, the standout among security researchers to get patched appears to be CVE-2020-16898. There's a vulnerability in the Windows TCP/IP stack that "improperly handles ICMPv6 Router Advertisement packets," Microsoft's Knowledge Base article explained. It could lead to remote code execution attacks. It got the highest Common Vulnerability Scoring System (CVSS) score of 9.8 (Base), noted Childs. "Since the code execution occurs in the TCP/IP stack, it is assumed the attacker could execute arbitrary code with elevated privileges," he added.

It's also possible to disable ICMPv6 via PowerShell as a workaround, Tsang noted regarding CVE-2020-16898, which has the benefit of avoiding a reboot:

Luckily, if immediate patching isn't viable due to reboot scheduling, [Microsoft provides PowerShell-based commands](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-16898#ID0EUGAC) to disable ICMPv6 RDNSS on affected operating systems. The PowerShell command 'netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable' does not require a reboot to take effect.

Another Critical vulnerability that's notable this month is CVE-2020-16891, which is about a remote code execution issue associated with Windows Hyper-V host servers. An exploit would involve an attacker running "a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code." It has a CVSS score of 8.8 (Base).

The Cisco Talos team also pointed to Critical SharePoint Server vulnerabilities getting patches this month, namely CVE-2020-16951 and CVE-2020-16952, where SharePoint Server 2019, 2016 and 2013 products are affected. "An adversary could exploit these bugs to run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account," the Talos team indicated.

Tsang noted that SharePoint is getting patches for a total of 10 CVEs this month. He similarly pointed to the two vulnerabilities cited above as being the notable ones.