Security News > 2020 > October > October Patch Tuesday: Microsoft Patches Critical, Wormable RCE Bug
Microsoft has pushed out fixes for 87 security vulnerabilities in October - 11 of them critical - and one of those is potentially wormable.
"Coming in at 53 of the 87 vulnerabilities, patching the OS knocks out 60 percent of the vulnerabilities listed, along with over half of the critical RCE vulnerabilities resolved today."
Microsoft gives this bug its highest exploitability rating, meaning attacks in the wild are extremely likely - and as such, it carries a severity rating of 9.8 out of 10 on the CvSS vulnerability scale.
A critical Windows Hyper-V RCE bug meanwhile allows an attacker to run a specially crafted program on an affected guest OS to execute arbitrary code on the host OS. And, other critical problems impact the Windows Camera Codec, both resulting from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer.
"Security teams are still reeling from efforts around reducing exposure to CVE-2020-1472, and today's Patch Tuesday thankfully brings a slightly lightened load of vulnerabilities compared to the previous seven months, with no vulnerabilities currently known to be exploited in the wild," Jonathan Cran, head of research at Kenna Security, told Threatpost.
News URL
https://threatpost.com/october-patch-tuesday-wormable-bug/160044/
Related news
- Microsoft December 2024 Patch Tuesday fixes 1 exploited zero-day, 71 flaws (source)
- Microsoft holds last Patch Tuesday of the year with 72 gifts for admins (source)
- Patch Tuesday: Microsoft Patches One Actively Exploited Vulnerability, Among Others (source)
- What Is Patch Tuesday? Microsoft’s Monthly Update Explained (source)
- Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws (source)
- Microsoft Fixes 72 Flaws, Including Patch for Actively Exploited CLFS Vulnerability (source)
- Apache issues patches for critical Struts 2 RCE bug (source)
- BeyondTrust Issues Urgent Patch for Critical Vulnerability in PRA and RS Products (source)
- Patch Alert: Critical Apache Struts Flaw Found, Exploitation Attempts Detected (source)
- Critical SQL Injection Vulnerability in Apache Traffic Control Rated 9.9 CVSS — Patch Now (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-08-17 | CVE-2020-1472 | Use of Insufficiently Random Values vulnerability in multiple products An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). | 0.0 |