Security News > 2020 > November > Microsoft emits 112 security hole fixes – including the cure for a Google-disclosed kernel vuln exploited in the wild
![Microsoft emits 112 security hole fixes – including the cure for a Google-disclosed kernel vuln exploited in the wild](/static/build/img/news/alt/cybercrime-statistics-medium.jpg)
One of the fixed flaws is being actively exploited, the Windows Kernel Cryptography Driver vulnerability disclosed by Google's Project Zero at the end of last month.
The CVE-2020-17087 driver bug was also exploited with CVE-2020-15999, a remote-code exec vulnerability in Chrome's font-parsing code, to also hijack targeted people's PCs. All three bugs are now patched; installing the latest software updates fixes them.
"One of the most notable fixes in this month's release is for CVE-2020-17087, an elevation-of-privilege vulnerability in the Windows Kernel that was exploited in the wild as part of a vulnerability chain with CVE-2020-15999, a buffer-overflow vulnerability in the FreeType 2 library used by Google Chrome," Satnam Narang, staff research engineer at security biz Tenable told The Register.
"The elevation-of-privilege vulnerability was used to escape Google Chrome's sandbox in order to elevate privileges on the exploited system. This is the second vulnerability chain involving a Google Chrome vulnerability and a Windows vulnerability that was exploited in the last year."
Judging from the above - and that Apple patched exploited-in-the-wild bugs, found by Google Project Zero, in its font parser and kernel code - one might assume someone highly skilled or some top-tier group has lately taken a particular interest in hijacking people's computers and devices via malicious webpages and documents.
News URL
https://go.theregister.com/feed/www.theregister.com/2020/11/11/patch_tuesday_updates/
Related news
- Google takes shots at Microsoft for shoddy security record with enterprise apps (source)
- Microsoft, Google do a victory lap around passkeys (source)
- Microsoft, Google widen passkey support for its users (source)
- Top 5 Global Cyber Security Trends of 2023, According to Google Report (source)
- Microsoft's Brad Smith summoned by Homeland Security committee over 'cascade' of infosec failures (source)
- Azure Service Tags tagged as security risk, Microsoft disagrees (source)
- Microsoft shows venerable and vulnerable NTLM security protocol the door (source)
- The AI Debate: Google's Guidelines, Meta's GDPR Dispute, Microsoft's Recall Backlash (source)
- Google Warns of Pixel Firmware Security Flaw Exploited as Zero-Day (source)
- Microsoft delays Windows Recall amid privacy and security concerns (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-11-11 | CVE-2020-17087 | Incorrect Calculation of Buffer Size vulnerability in Microsoft products Windows Kernel Local Elevation of Privilege Vulnerability | 7.8 |
2020-11-03 | CVE-2020-15999 | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 6.5 |