We are ten months into these Patch Tuesday blogs, so we should have this routine down by now. On the bright side, we have 87 CVE’s patched. This is the first time since I began writing these in April 2020 that we are below 100, and only 11 of these are considered critical. On the more negative side, 6 of these are already publicly known; at least none of the already known exploits are deemed crucial.
Some highlights (or lowlights)
CVE-2020-16898: This one is the highest-rated vulnerability on the CVSS Scale in this patch Tuesday. It is called Bad Neighbor or Ping of Death Redux, and it allows an attacker to send an ICMPv6 Advertisement Packet to gain the ability to execute code on a remote machine. It comes with a little higher risk because it does not require an end-user to run anything to get through. You can read more about Bad Neighbor here.
CVE-2020-16896: This vulnerability allows an attacker to get information to compromise a user's system through the Remote Desktop Protocol (RDP). They would do it by a custom application run against a server that provides RDP Services.
CVE-2020-16947: This is a remote code execution with Outlook that uses the way it handles objects in memory. An attacker using this requires a user to click on a crafted file (or website) and allow the attacker to run arbitrary code in the System User context.
In review
It is refreshing to have what appears to be a lighter month for patching. Lighter does not mean non-existent, though, and with six lower risk CVE’s already being known before they got patched, make sure you get your system patched as soon as possible. Remember, nobody raised alarm bells in August either, and a month later, it started to become clear how severe ZeroLogon was. Be safe, not sorry about your patching!
