Microsoft's November Security Bundle Addresses 112 Vulnerabilities

Microsoft released its November bundle of security patches on Tuesday, addressing 112 common vulnerabilities and exposures (CVEs).

A partial list of the software needing to get patched this month can be found in Microsoft's "Release Notes" publication. In addition to Windows and Office products needing patches, this month brings back browser fixes, which had been notably absent last month. The browser fixes likely account for this month's bulk, according to Todd Schell, senior product manager for security at Ivanti.

"In October, Microsoft did not have an update for the browsers and there was a noticeable dip in the total number of CVEs addressed," Schell noted via e-mail.

Richard Tsang, a senior software engineer at Rapid7, counted five vulnerabilities this month associated with the Internet Explorer and Microsoft Edge browsers. He noted that those organizations opting to get security-only patches from Microsoft each month aren't getting browser fixes.

"Organizations opting for Security-Only patches should be aware that there are separate Cumulative Security Updates for Internet Explorer," Tsang noted via e-mail.

With this month's release, Microsoft has now returned to its practice, started this year, of delivering hefty 110-plus monthly security patch bundles. Last month, the patch load count fell below 100, but it was an exception rather than a reversal of the new bulky trend.

Big monthly security patch bundles from Microsoft can be considered to be the "new normal," according to security analyst Dustin Childs of Trend Micro's Zero Day Initiative. He wrote a comprehensive guide to the November Microsoft patches in this Zero Day Initiative blog post.

Of the 112 patches, 17 were described by security researchers as being "Critical" in severity, with 93 patches deemed "Important" and two considered to be "Low" in severity. However, Microsoft seems to have moved away from that way of describing its patches. Its newly revised security bulletins now just include Common Vulnerability Scoring System numbers on a one-to-10 scale (higher is worse) along with various one-word descriptors. The one-word descriptors link to boilerplate nonspecific descriptions when the user hovers a mouse cursor over them.

Notable Vulnerabilities
Security researchers still managed to point to a few noteworthy patches this month even with Microsoft's new terse descriptions in security bulletins.

The standout this month is a "Windows kernel local elevation of privilege vulnerability" (CVE-2020-17087) in supported Windows systems, which has been exploited. It's considered to be a so-called "zero-day" flaw and was publicized late last month by Google Project Zero researchers in conjunction with a Google Chrome browser exploit.

CVE-2020-17087 is just rated Important by Microsoft, according to Schell, but the risks associated with the flaw are potentially higher since the attack method is known.

The vulnerability [CVE-2020-17087] affects ESU Win 7 and Server 2008 up to the latest Windows 10 20H2 versions. While the vulnerability is only rated as Important by Microsoft it is a Zero Day and has been publicly disclosed. This means attackers have already been detected using it in the wild and information on how to exploit it has been distributed publicly allowing additional threat actors easy access to reproduce this exploit.

Another notable vulnerability this month is CVE-2020-17051, a remote code execution flaw in the Windows Network File System (NFS). It's likely Critical, but we only have the CVSS score to go by.

"At a 9.8 [CVSS], it's about as critical as a bug can get," Childs noted regarding CVE-2020-17051. The use of NFS makes it potentially "wormable," he added.

More on the CVE-2020-17051 vulnerability was summarized by Chris Hass, director of information security and research at Automox, via e-mail:

Windows' NFS is essentially a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory. As you can imagine, with the functionality this service provides, attackers have been taking advantage of it to gain access to critical systems for a long time. It won't be long before we see scanning of port 2049 increase over the next few days, with exploitation in the wild likely to follow.

That's a useful description, but it's not according to Microsoft's latest trend in its security bulletins, unfortunately.

Another notable patch is CVE-2020-17084, a fix for an Exchange Server vulnerability that could lead to remote code execution. Childs characterized it as Critical, but mostly because people have a hard time keeping Exchange Server patched.

There's also a bypass vulnerability in Windows Hyper-V (CVE-2020-17040). Microsoft's terse description doesn't make for an easy assessment, Childs noted, but an attacker would not need authentication or interaction with a user to carry out an attack. It's rated 6.5 on the CVSS scale.

For IT pros wondering about things like reboots and known issues associated with the November patches, this Microsoft support article offers a list.

Descriptions 'Removed'
Security researchers sometimes disagree with Microsoft's ratings. However, this month, Microsoft went live with its newly revamped "Security Update Guide," which uses one-word descriptors instead of a few sentences to describe a vulnerability. It's possible for readers to hover a mouse cursor over a descriptor to get more information, but the text appears to be boilerplate. Specific explanations are lacking.

Microsoft's security bulletins didn't tend to have much description before this new approach began. Possibly it will leave everyone, including security researchers, in the dark. Childs characterized the change as "Microsoft's removal of the description section of the CVE overview," which seems to be an accurate description.

Of course, the idea with Microsoft's shift toward releasing monthly cumulative updates is that IT pros are supposed to apply the whole of November's patches, without prioritizing them. Nonetheless, IT pros still seem to want to know the details. Now, they aren't there.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • How To Configure Windows 10 for Intel Optane Memory

    Intel's Optane memory technology can significantly improve the performance of your Windows 10 system -- provided you enable it correctly. A single mistake can render the system unbootable. Here's how to do it the right way.

  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

  • How To Automate Tasks in Azure SQL Database

    Knowing how to automate tasks in the cloud will make you a more productive DBA. Here are the key concepts to understand about cloud scripting and a rundown of the best tools for automating code in Azure.

comments powered by Disqus