Ivanti assesses Patch Tuesday in October: Fewer resolved vulnerability problems and no further browser update from Microsoft promotes exploit development.
Microsoft interrupted the series of 100 CVEs per month on Patch Tuesday in October, as only 87 CVEs were resolved this month. Six of them were announced publicly. Such a publication is like a kind of jumpstart for attackers in terms of research and development of exploits. To be on the safe side, special attention should therefore be paid to these CVEs.
Open vulnerabilities invite exploit attackers
The big news in October: Microsoft has presented the preliminary version of its new update guide. It has some interesting improvements. So offers the Microsoft Vulnerability View quick access to further risk-focused information. Columns such as “Exploited” and “Publicly Disclosed” allow you to sort and view quickly to see if there are any high risk positions. Like our six CVEs this month that will be announced publicly. A public announcement can mean several things. It is possible that the exploit was demonstrated at an event or by a team of researchers. But it is also conceivable that proof-of-concept code has been made available. In any case, a public announcement means that the threat actors receive an indication of a vulnerability, which gives them a time advantage. According to a research study by the RAND Institute, the average time to exploit a vulnerability is 22 days. If a threat actor is informed about a vulnerability at an early stage, he gains a head start of days or even weeks. It follows that an exploit is often not long in coming. This risk indicator helps companies to derive priorities from the threat perspective.
Browser vulnerabilities still open
This month, five of the publicly announced updates are for Windows 10 and its server editions (CVE-2020-16908, CVE-2020-16909, CVE-2020-16901, CVE-2020-16885, CVE-2020-16938). The sixth is about the .Net Framework (CVE-2020-16937). Noteworthy this month: No browser vulnerabilities are fixed. At the time of publication, Microsoft had not reported any CVEs against IE or Edge and had not listed the browsers as affected products that month.
Other major vulnerabilities this month:
CVE-2020-16947 is a remote code execution vulnerability in Microsoft Outlook. Affected versions of Outlook can already be exploited by displaying a specially designed e-mail. The preview window is an attack vector here so you don't even have to open the email to be affected. The error lies in the analysis of HTML content in an email. This vulnerability should be addressed quickly as it will be an attractive target for threat actors.
CVE-2020-16891 is a vulnerability in Windows Hyper-V, also for remote code execution. This patch fixes a bug that could allow an attacker to run a specially crafted program on an affected guest operating system to execute arbitrary code on the host operating system. Such a breakout from the guest operating system would also be very attractive to threat actors.
More on this at Ivanti.de
About Ivanti The strength of unified IT. Ivanti connects IT with security operations in the company in order to better control and secure the digital workplace. We identify IT assets on PCs, mobile devices, virtualized infrastructures or in the data center - regardless of whether they are hidden on-premise or in the cloud. Ivanti improves the provision of IT services and reduces risks in the company on the basis of specialist knowledge and automated processes. By using modern technologies in the warehouse and across the entire supply chain, Ivanti helps companies improve their ability to deliver - without changing the backend systems.