News

Microsoft's November Patch Count Passes 100-Mark Again

• By Kurt Mackie
• 11/10/2020

Last month's relatively lightweight patch rollout from Microsoft appears to be an anomaly. Microsoft on Tuesday addressed 112 common vulnerabilities and exposures (CVEs) with its November security update bundle.

A partial list of the software needing to get patched this month can be found in Microsoft's "Release Notes" publication. In addition to Windows and Office products needing patches, this month brings back browser fixes, which had been notably absent last month. The browser fixes likely account for this month's bulk, according to Todd Schell, senior product manager for security at Ivanti.

"In October, Microsoft did not have an update for the browsers and there was a noticeable dip in the total number of CVEs addressed," Schell noted via e-mail.

Richard Tsang, a senior software engineer at Rapid7, counted five vulnerabilities this month associated with the Internet Explorer and Microsoft Edge browsers. He noted that those organizations opting to get security-only patches from Microsoft each month aren't getting browser fixes.

"Organizations opting for Security-Only patches should be aware that there are separate Cumulative Security Updates for Internet Explorer," Tsang noted via e-mail.

With this month's release, Microsoft has now returned to its practice, started this year, of delivering hefty 110-plus monthly security patch bundles. Last month, the patch load count fell below 100, but it was an exception rather than a reversal of the new bulky trend.

Big monthly security patch bundles from Microsoft can be considered to be the "new normal," according to security analyst Dustin Childs of Trend Micro's Zero Day Initiative. He wrote a comprehensive guide to the November Microsoft patches in this Zero Day Initiative blog post.

Of the 112 patches, 17 were described by security researchers as being "Critical" in severity, with 93 patches deemed "Important" and two considered to be "Low" in severity. However, Microsoft seems to have moved away from that way of describing its patches. Its newly revised security bulletins now just include Common Vulnerability Scoring System numbers on a one-to-10 scale (higher is worse) along with various one-word descriptors. The one-word descriptors link to boilerplate nonspecific descriptions when the user hovers a mouse cursor over them.

Notable Vulnerabilities
Security researchers still managed to point to a few noteworthy patches this month even with Microsoft's new terse descriptions in security bulletins.

The standout this month is a "Windows kernel local elevation of privilege vulnerability" (CVE-2020-17087) in supported Windows systems, which has been exploited. It's considered to be a so-called "zero-day" flaw and was publicized late last month by Google Project Zero researchers in conjunction with a Google Chrome browser exploit.

CVE-2020-17087 is just rated Important by Microsoft, according to Schell, but the risks associated with the flaw are potentially higher since the attack method is known.

The vulnerability [CVE-2020-17087] affects ESU Win 7 and Server 2008 up to the latest Windows 10 20H2 versions. While the vulnerability is only rated as Important by Microsoft it is a Zero Day and has been publicly disclosed. This means attackers have already been detected using it in the wild and information on how to exploit it has been distributed publicly allowing additional threat actors easy access to reproduce this exploit.

Another notable vulnerability this month is CVE-2020-17051, a remote code execution flaw in the Windows Network File System (NFS). It's likely Critical, but we only have the CVSS score to go by.

"At a 9.8 [CVSS], it's about as critical as a bug can get," Childs noted regarding CVE-2020-17051. The use of NFS makes it potentially "wormable," he added.

More on the CVE-2020-17051 vulnerability was summarized by Chris Hass, director of information security and research at Automox, via e-mail:

Windows' NFS is essentially a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory. As you can imagine, with the functionality this service provides, attackers have been taking advantage of it to gain access to critical systems for a long time. It won't be long before we see scanning of port 2049 increase over the next few days, with exploitation in the wild likely to follow.

That's a useful description, but it's not according to Microsoft's latest trend in its security bulletins, unfortunately.

Another notable patch is CVE-2020-17084, a fix for an Exchange Server vulnerability that could lead to remote code execution. Childs characterized it as Critical, but mostly because people have a hard time keeping Exchange Server patched.

There's also a bypass vulnerability in Windows Hyper-V (CVE-2020-17040). Microsoft's terse description doesn't make for an easy assessment, Childs noted, but an attacker would not need authentication or interaction with a user to carry out an attack. It's rated 6.5 on the CVSS scale.

For IT pros wondering about things like reboots and known issues associated with the November patches, this Microsoft support article offers a list.

Descriptions 'Removed'
Security researchers sometimes disagree with Microsoft's ratings. However, this month, Microsoft went live with its newly revamped "Security Update Guide," which uses one-word descriptors instead of a few sentences to describe a vulnerability. It's possible for readers to hover a mouse cursor over a descriptor to get more information, but the text appears to be boilerplate. Specific explanations are lacking.

Microsoft's security bulletins didn't tend to have much description before this new approach began. Possibly it will leave everyone, including security researchers, in the dark. Childs characterized the change as "Microsoft's removal of the description section of the CVE overview," which seems to be an accurate description.

Of course, the idea with Microsoft's shift toward releasing monthly cumulative updates is that IT pros are supposed to apply the whole of November's patches, without prioritizing them. Nonetheless, IT pros still seem to want to know the details. Now, they aren't there.