With all the excitement of the iPhone 12 launch yesterday’s October Patch Tuesday went mostly unnoticed, but the update delivered a very important fix.
Security blog DarkReadings reports that the update fixed 87 vulnerabilities, including 21 remote code execution flaws.
None of the flaws was being exploited in the wild, but 6 were publicly known and could therefore be easily developed.
The most critical remote code execution flaw was CVE-2020-16898, which exploited a flaw in the Windows TCP/IP stack when it improperly handles ICMPv6 Router Advertisement packets. As Microsoft writes:
A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client.
To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.
Now that a patch is available it should be applied urgently, as the bug has a CVSS score of 9.8 and has been categorized as “exploitation more likely.”
There is also a denial of service flaw (CVE-2020-16899) in the Windows TCP/IP stack, where an improperly handles ICMPv6 Router Advertisement packets would let an attacker cause a target system to stop responding.
“Both vulnerabilities have been deemed more likely to be exploited,” says Chris Hass, director of information security and research at Automox. “The only good news is that Microsoft’s internal security team unearthed the vulnerabilities, meaning PoC [proof of concept] code likely won’t surface until someone reverse engineers the patch and discovers the source of these vulnerabilities.”
The 87 vulnerabilities patched are present in Windows, Office and Office Services and Web Apps, Visual Studio, Azure Functions, .NET Framework, Microsoft Dynamics, Open Source Software, Exchange Server, and the Windows Codecs Library, suggesting admins today have quite a bit of work to do.