Security News > 2020 > November > Microsoft emits 112 security hole fixes – including the cure for a Google-disclosed kernel vuln exploited in the wild
One of the fixed flaws is being actively exploited, the Windows Kernel Cryptography Driver vulnerability disclosed by Google's Project Zero at the end of last month.
The CVE-2020-17087 driver bug was also exploited with CVE-2020-15999, a remote-code exec vulnerability in Chrome's font-parsing code, to also hijack targeted people's PCs. All three bugs are now patched; installing the latest software updates fixes them.
"One of the most notable fixes in this month's release is for CVE-2020-17087, an elevation-of-privilege vulnerability in the Windows Kernel that was exploited in the wild as part of a vulnerability chain with CVE-2020-15999, a buffer-overflow vulnerability in the FreeType 2 library used by Google Chrome," Satnam Narang, staff research engineer at security biz Tenable told The Register.
"The elevation-of-privilege vulnerability was used to escape Google Chrome's sandbox in order to elevate privileges on the exploited system. This is the second vulnerability chain involving a Google Chrome vulnerability and a Windows vulnerability that was exploited in the last year."
Judging from the above - and that Apple patched exploited-in-the-wild bugs, found by Google Project Zero, in its font parser and kernel code - one might assume someone highly skilled or some top-tier group has lately taken a particular interest in hijacking people's computers and devices via malicious webpages and documents.
News URL
https://go.theregister.com/feed/www.theregister.com/2020/11/11/patch_tuesday_updates/
Related news
- Google takes shots at Microsoft for shoddy security record with enterprise apps (source)
- Microsoft and Security Incentives (source)
- Microsoft releases Exchange hotfixes for security update issues (source)
- Microsoft pulls fix for Outlook bug behind ICS security alerts (source)
- Microsoft cannot keep its own security in order, so what hope for its add-ons customers? (source)
- Kaiser Permanente handed over 13.4M people's data to Microsoft, Google, others (source)
- BeyondTrust Report: Microsoft Security Vulnerabilities Decreased by 5% in 2023 (source)
- Microsoft, Google do a victory lap around passkeys (source)
- Microsoft, Google widen passkey support for its users (source)
- Top 5 Global Cyber Security Trends of 2023, According to Google Report (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-11-11 | CVE-2020-17087 | Incorrect Calculation of Buffer Size vulnerability in Microsoft products Windows Kernel Local Elevation of Privilege Vulnerability | 7.8 |
2020-11-03 | CVE-2020-15999 | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 6.5 |